nextcloud/core/lostpassword/index.php

<?php
/**
 * Copyright (c) 2012 Frank Karlitschek frank@owncloud.org
 * This file is licensed under the Affero General Public License version 3 or
 * later.
 * See the COPYING-README file.
*/

$RUNTIME_NOAPPS = TRUE; //no apps
require_once '../../lib/base.php';


// Someone lost their password:
if (isset($_POST['user'])) {
	if (OC_User::userExists($_POST['user'])) {
		$token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
		$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
		if (!empty($email)) {
			$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php', array('user' => $_POST['user'], 'token' => $token));
			$tmpl = new OC_Template('core/lostpassword', 'email');
			$tmpl->assign('link', $link, false);
			$msg = $tmpl->fetchPage();
			$l = OC_L10N::get('core');
			$from = 'lostpassword-noreply@' . OCP\Util::getServerHost();
			OC_MAIL::send($email, $_POST['user'], $l->t('ownCloud password reset'), $msg, $from, 'ownCloud');
			echo('sent');
		}
		OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => true));
	} else {
		OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => true, 'requested' => false));
	}
} else {
	OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => false));
}
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`<?php`
			`/**`
update copyright 2012-05-26 21:14:24 +04:00			`* Copyright (c) 2012 Frank Karlitschek frank@owncloud.org`
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`* This file is licensed under the Affero General Public License version 3 or`
			`* later.`
			`* See the COPYING-README file.`
			`*/`

			`$RUNTIME_NOAPPS = TRUE; //no apps`
Update core/lostpassword/index.php respect coding style 2012-09-04 14:08:55 +04:00			`require_once '../../lib/base.php';`
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00
csrf protection 2012-04-26 21:35:33 +04:00
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`// Someone lost their password:`
			`if (isset($_POST['user'])) {`
			`if (OC_User::userExists($_POST['user'])) {`
Doublehash the token to prevent timing attacks 2012-10-14 14:12:55 +04:00			`$token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));`
			`OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks`
Use correct appid for lostpassword email preference 2011-12-19 02:08:00 +04:00			`$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');`
Removed sectoken This token is completly useless since an attacker can easily extract it from the page. 2012-09-29 17:15:35 +04:00			`if (!empty($email)) {`
Do urlencoding in linkTo functions 2012-09-29 00:27:52 +04:00			`$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php', array('user' => $_POST['user'], 'token' => $token));`
Move lostpassword to core dir 2011-10-03 22:41:52 +04:00			`$tmpl = new OC_Template('core/lostpassword', 'email');`
fix for bug #1295, don't escape password reset link 2012-07-27 17:35:36 +04:00			`$tmpl->assign('link', $link, false);`
Implement mailing of password reset link 2011-09-26 23:11:50 +04:00			`$msg = $tmpl->fetchPage();`
reuse OC_L10N objects 2012-04-14 18:44:15 +04:00			`$l = OC_L10N::get('core');`
use our own serverHost call so that ownCloud works with reverse proxy servers 2012-05-31 22:26:09 +04:00			`$from = 'lostpassword-noreply@' . OCP\Util::getServerHost();`
Update core/lostpassword/index.php respect coding style 2012-09-04 14:08:55 +04:00			`OC_MAIL::send($email, $_POST['user'], $l->t('ownCloud password reset'), $msg, $from, 'ownCloud');`
csrf protection 2012-04-26 21:35:33 +04:00			`echo('sent');`
Implement mailing of password reset link 2011-09-26 23:11:50 +04:00			`}`
Removed sectoken This token is completly useless since an attacker can easily extract it from the page. 2012-09-29 17:15:35 +04:00			`OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => true));`
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`} else {`
Removed sectoken This token is completly useless since an attacker can easily extract it from the page. 2012-09-29 17:15:35 +04:00			`OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => true, 'requested' => false));`
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`}`
			`} else {`
Removed sectoken This token is completly useless since an attacker can easily extract it from the page. 2012-09-29 17:15:35 +04:00			`OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => false));`
Move lostpassword code to own app 2011-09-26 01:33:22 +04:00			`}`