Use one-way encryption for storing the token used for the "Forgotten password" feature.

SVN:2.0.3[3924]

application/loginwebpage.class.inc.php

@@ -305,7 +305,11 @@ class LoginWebPage extends NiceWebPage
 		{
 			$this->add("<p>".Dict::Format('UI:ResetPwd-Error-WrongLogin', $sAuthUser)."</p>\n");
 		}
-		elseif ($oUser->Get('reset_pwd_token') != $sToken)
+		else
+		{
+			$oEncryptedToken = $oUser->Get('reset_pwd_token');
+			
+			if (!$oEncryptedToken->CheckPassword($sToken))
 			{
 				$this->add("<p>".Dict::S('UI:ResetPwd-Error-InvalidToken')."</p>\n");
 			}
@@ -340,6 +344,7 @@ EOF
 				$this->add("</div\n");
 			}
 		}
+	}
 
 	public function DoResetPassword()
 	{
@@ -357,7 +362,10 @@ EOF
 		{
 			$this->add("<p>".Dict::Format('UI:ResetPwd-Error-WrongLogin', $sAuthUser)."</p>\n");
 		}
-		elseif ($oUser->Get('reset_pwd_token') != $sToken)
+		else
+		{
+			$oEncryptedPassword = $oUser->Get('reset_pwd_token');
+			if (!$oEncryptedPassword->CheckPassword($sToken))
 			{
 				$this->add("<p>".Dict::S('UI:ResetPwd-Error-InvalidToken')."</p>\n");
 			}
@@ -373,6 +381,7 @@ EOF
 			}
 			$this->add("</div\n");
 		}
+	}
 
 	public function DisplayChangePwdForm($bFailedLogin = false)
 	{

core/userrights.class.inc.php

@@ -371,7 +371,7 @@ abstract class UserInternal extends User
 		MetaModel::Init_InheritAttributes();
 
 		// When set, this token allows for password reset
-		MetaModel::Init_AddAttribute(new AttributeString("reset_pwd_token", array("allowed_values"=>null, "sql"=>"reset_pwd_token", "default_value"=>null, "is_null_allowed"=>true, "depends_on"=>array())));
+		MetaModel::Init_AddAttribute(new AttributeOneWayPassword("reset_pwd_token", array("allowed_values"=>null, "default_value"=>null, "is_null_allowed"=>true, "depends_on"=>array())));
 
 		// Display lists
 		MetaModel::Init_SetZListItems('details', array('contactid', 'first_name', 'email', 'login', 'language', 'profile_list', 'allowed_org_list')); // Attributes to be displayed for the complete details