From c16a9a83ba4410d969f60772c29ac48ee2116c01 Mon Sep 17 00:00:00 2001
From: Robin Appelman <icewind1991@gmail.com>
Date: Sun, 25 Sep 2011 01:06:00 +0200
Subject: [PATCH] actually check the correct password when changing the
 password

---
 settings/ajax/changepassword.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/settings/ajax/changepassword.php b/settings/ajax/changepassword.php
index 2a8e428fde4..98218b9f89e 100644
--- a/settings/ajax/changepassword.php
+++ b/settings/ajax/changepassword.php
@@ -8,9 +8,10 @@ header( "Content-Type: application/jsonrequest" );
 
 $username = isset($_POST["username"]) ? $_POST["username"] : OC_User::getUser();
 $password = $_POST["password"];
+$oldPassword=isset($_POST["oldpassword"])?$_POST["oldpassword"]:'';
 
 // Check if we are a user
-if( !OC_User::isLoggedIn() || (!OC_Group::inGroup( OC_User::getUser(), 'admin' ) && ($username!=OC_User::getUser() || !OC_User::checkPassword($username,$password)))) {
+if( !OC_User::isLoggedIn() || (!OC_Group::inGroup( OC_User::getUser(), 'admin' ) && ($username!=OC_User::getUser() || !OC_User::checkPassword($username,$oldPassword)))) {
 	echo json_encode( array( "status" => "error", "data" => array( "message" => "Authentication error" )));
 	exit();
 }
-- 
2.39.5