This issue follows on from
Currently, when a new user regsiters for a Drupal account the details are sent to the users supplied email address. This provides a basic mechanism that confirms the user is at that email address. However, once registered, users are permitted to change their email address without further confirming that the user is in fact at that email address.
- A user can change their email address to be that of an unsusspecting third party as no confirmation of change is required. Using a second Drupal account (with it's email address also faked using the same method) the first user is then able to send anonymous malicious messages to the unsusspecting third party
- A slow method for sending spam but exploitable none the less
This patch (originally by chx) averts this by having a "confirm stage" email sent before Drupal actually accepts the new email address.
drumm has originally mentioned a lack of comments. Well, most of the patch adds code into existing functions. The main change in the introduction of user_change_mail() which is a new callback. Added appropiate comment to this function.
I'm hoping beginner will follow up this with "the not so easy bit" ;)