diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2012-10-14 14:12:55 +0400 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2012-10-14 14:13:02 +0400 |
| commit | 99cd922b82ca7684967ec3533fcdd5af32c0edc7 (patch) | |
| tree | 0c55c86336773d6200e72a49d4ecf00c256c33fb /core | |
| parent | c88cf5cae558c598714ca88f5e8fe917c0411d31 (diff) | |
Doublehash the token to prevent timing attacks
Diffstat (limited to 'core')
| -rw-r--r-- | core/lostpassword/index.php | 4 | ||||
| -rw-r--r-- | core/lostpassword/resetpassword.php | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php index 4cd8b9079fd..906208dcbc4 100644 --- a/core/lostpassword/index.php +++ b/core/lostpassword/index.php @@ -13,8 +13,8 @@ require_once '../../lib/base.php'; // Someone lost their password: if (isset($_POST['user'])) { if (OC_User::userExists($_POST['user'])) { - $token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10)); - OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token); + $token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', '')); + OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks $email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', ''); if (!empty($email)) { $link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php', array('user' => $_POST['user'], 'token' => $token)); diff --git a/core/lostpassword/resetpassword.php b/core/lostpassword/resetpassword.php index 28a0063fc64..896c8da76e0 100644 --- a/core/lostpassword/resetpassword.php +++ b/core/lostpassword/resetpassword.php @@ -10,7 +10,7 @@ $RUNTIME_NOAPPS = TRUE; //no apps require_once '../../lib/base.php'; // Someone wants to reset their password: -if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) { +if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) { if (isset($_POST['password'])) { if (OC_User::setPassword($_GET['user'], $_POST['password'])) { OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword'); |