SECURITY: don't allow re-using the current password during password reset

config/locales/server.en.yml

@@ -340,6 +340,7 @@ en:
               common: "is one of the 10000 most common passwords. Please use a more secure password."
               same_as_username: "is the same as your username. Please use a more secure password."
               same_as_email: "is the same as your email. Please use a more secure password."
+              same_as_current: "is the same as your current password."
             ip_address:
               signup_not_allowed: "Signup is not allowed from this account."
         color_scheme_color:

lib/validators/password_validator.rb

@@ -14,6 +14,8 @@ class PasswordValidator < ActiveModel::EachValidator
       record.errors.add(attribute, :same_as_username)
     elsif record.email.present? && value == record.email
       record.errors.add(attribute, :same_as_email)
+    elsif record.confirm_password?(value)
+      record.errors.add(attribute, :same_as_current)
     elsif SiteSetting.block_common_passwords && CommonPasswords.common_password?(value)
       record.errors.add(attribute, :common)
     end

spec/components/validators/password_validator_spec.rb

@@ -96,6 +96,15 @@ describe PasswordValidator do
       validate
       expect(record.errors[:password]).to be_present
     end
+
+    it "adds an error when new password is same as current password" do
+      @password = "mypetsname"
+      record.save!
+      record.reload
+      record.password = @password
+      validate
+      expect(record.errors[:password]).to be_present
+    end
   end
 
   context "password not required" do