Skip to content

用户修改密码接口Bug #932

New issue
New issue
Closed
Closed
用户修改密码接口Bug#932
@zhanjunfeng

Description

@zhanjunfeng
zhanjunfeng
opened on Feb 19, 2020 · edited by zhanjunfeng
版本号:

2.1.3

问题描述:

SysUserController.java里面的passwordChange用于找回用户密码,传的username和phone没有校验对应关系,也就是说我发一个验证码,就可以改所有人的密码了。
改着改着发现一个更夸张的错误,这个接口在校验了缓存里验证码为空和验证码不相等之后,啥都没做,就result里设了个值,没有return,接着直接根据username去改密码了。。。也就是说我要改任何人的密码,连验证码都不需要发,拿着用户名调这个接口就直接改了!!!!!!!!

截图&代码:

image
image

友情提示: 未按格式要求发帖,会直接删掉。

Activity

zhangdaiscott

zhangdaiscott commented on Feb 20, 2020

@zhangdaiscott
zhangdaiscott
on Feb 20, 2020
Member

非常感谢,我们已经修改,下个版本尽快发布

zhangdaiscott
closed this as completedon Feb 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @zhangdaiscott@zhanjunfeng

        Issue actions
          用户修改密码接口Bug · Issue #932 · jeecgboot/JeecgBoot