From 63b6b95f71119a67ff9d6f9e5706e16bf2bad94b Mon Sep 17 00:00:00 2001 From: Denis Flaven Date: Fri, 19 Feb 2016 18:17:11 +0000 Subject: [PATCH] Use one-way encryption for storing the token used for the "Forgotten password" feature. SVN:trunk[3920] --- application/loginwebpage.class.inc.php | 73 +++++++++++++++----------- core/userrights.class.inc.php | 2 +- 2 files changed, 42 insertions(+), 33 deletions(-) diff --git a/application/loginwebpage.class.inc.php b/application/loginwebpage.class.inc.php index 0e4819982..ed739e7ff 100644 --- a/application/loginwebpage.class.inc.php +++ b/application/loginwebpage.class.inc.php @@ -306,16 +306,20 @@ class LoginWebPage extends NiceWebPage { $this->add("

".Dict::Format('UI:ResetPwd-Error-WrongLogin', $sAuthUser)."

\n"); } - elseif ($oUser->Get('reset_pwd_token') != $sToken) - { - $this->add("

".Dict::S('UI:ResetPwd-Error-InvalidToken')."

\n"); - } else { - $this->add("

".Dict::Format('UI:ResetPwd-Error-EnterPassword', $oUser->GetFriendlyName())."

\n"); - - $sInconsistenPwdMsg = Dict::S('UI:Login:RetypePwdDoesNotMatch'); - $this->add_script( + $oEncryptedToken = $oUser->Get('reset_pwd_token'); + + if (!$oEncryptedToken->CheckPassword($sToken)) + { + $this->add("

".Dict::S('UI:ResetPwd-Error-InvalidToken')."

\n"); + } + else + { + $this->add("

".Dict::Format('UI:ResetPwd-Error-EnterPassword', $oUser->GetFriendlyName())."

\n"); + + $sInconsistenPwdMsg = Dict::S('UI:Login:RetypePwdDoesNotMatch'); + $this->add_script( <<add("
\n"); - $this->add("\n"); - $this->add("\n"); - $this->add("\n"); - $this->add("\n"); - $this->add("
\n"); - $this->add("\n"); - $this->add("\n"); - $this->add("\n"); - $this->add("
\n"); - $this->add("add("
\n"); + $this->add("\n"); + $this->add("\n"); + $this->add("\n"); + $this->add("\n"); + $this->add("
\n"); + $this->add("\n"); + $this->add("\n"); + $this->add("\n"); + $this->add("
\n"); + $this->add("add("

".Dict::Format('UI:ResetPwd-Error-WrongLogin', $sAuthUser)."

\n"); } - elseif ($oUser->Get('reset_pwd_token') != $sToken) - { - $this->add("

".Dict::S('UI:ResetPwd-Error-InvalidToken')."

\n"); - } else { - // Trash the token and change the password - $oUser->Set('reset_pwd_token', ''); - $oUser->SetPassword($sNewPwd); // Does record the change into the DB - - $this->add("

".Dict::S('UI:ResetPwd-Ready')."

"); - $sUrl = utils::GetAbsoluteUrlAppRoot(); - $this->add("

".Dict::S('UI:ResetPwd-Login')."

"); + $oEncryptedPassword = $oUser->Get('reset_pwd_token'); + if (!$oEncryptedPassword->CheckPassword($sToken)) + { + $this->add("

".Dict::S('UI:ResetPwd-Error-InvalidToken')."

\n"); + } + else + { + // Trash the token and change the password + $oUser->Set('reset_pwd_token', ''); + $oUser->SetPassword($sNewPwd); // Does record the change into the DB + + $this->add("

".Dict::S('UI:ResetPwd-Ready')."

"); + $sUrl = utils::GetAbsoluteUrlAppRoot(); + $this->add("

".Dict::S('UI:ResetPwd-Login')."

"); + } + $this->add("add("null, "sql"=>"reset_pwd_token", "default_value"=>null, "is_null_allowed"=>true, "depends_on"=>array()))); + MetaModel::Init_AddAttribute(new AttributeOneWayPassword("reset_pwd_token", array("allowed_values"=>null, "default_value"=>null, "is_null_allowed"=>true, "depends_on"=>array()))); // Display lists MetaModel::Init_SetZListItems('details', array('contactid', 'first_name', 'email', 'login', 'language', 'profile_list', 'allowed_org_list')); // Attributes to be displayed for the complete details