mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Doublehash the token to prevent timing attacks

This commit is contained in:
Lukas Reschke 2012-10-14 12:12:55 +02:00
parent e65ea6a8b7
commit ecef3b6b98
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
core/lostpassword/index.php
View File

@ -13,8 +13,8 @@ require_once '../../lib/base.php';
// Someone lost their password:
if (isset($_POST['user'])) {
if (OC_User::userExists($_POST['user'])) {
$token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10));
OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
$token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
if (!empty($email)) {
$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php', array('user' => $_POST['user'], 'token' => $token));

2
core/lostpassword/resetpassword.php
View File

@ -10,7 +10,7 @@ $RUNTIME_NOAPPS = TRUE; //no apps
require_once '../../lib/base.php';
// Someone wants to reset their password:
if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) {
if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) {
if (isset($_POST['password'])) {
if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword');