]> source.dussan.org Git - nextcloud-server.git/commitdiff
projects / nextcloud-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c88cf5c)
Doublehash the token to prevent timing attacks
authorLukas Reschke <lukas@statuscode.ch>
Sun, 14 Oct 2012 10:12:55 +0000 (12:12 +0200)
committerLukas Reschke <lukas@statuscode.ch>
Sun, 14 Oct 2012 10:13:02 +0000 (12:13 +0200)
core/lostpassword/index.php patch | blob | history
core/lostpassword/resetpassword.php patch | blob | history

diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php
index 4cd8b9079fd4c419e89e46c13d9b60fa61f94437..906208dcbc4b52e3d79796111ac5934336760f94 100644 (file)
--- a/core/lostpassword/index.php
+++ b/core/lostpassword/index.php
@@ -13,8 +13,8 @@ require_once '../../lib/base.php';
 // Someone lost their password:
 if (isset($_POST['user'])) {
        if (OC_User::userExists($_POST['user'])) {
-               $token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10));
-               OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
+               $token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
+               OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
                $email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
                if (!empty($email)) {
                        $link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php', array('user' => $_POST['user'], 'token' => $token));
diff --git a/core/lostpassword/resetpassword.php b/core/lostpassword/resetpassword.php
index 28a0063fc647c5d7b7bf21076fa921173bcbf05d..896c8da76e091a30cb6d03da853972217bc91692 100644 (file)
--- a/core/lostpassword/resetpassword.php
+++ b/core/lostpassword/resetpassword.php
@@ -10,7 +10,7 @@ $RUNTIME_NOAPPS = TRUE; //no apps
 require_once '../../lib/base.php';
 
 // Someone wants to reset their password:
-if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) {
+if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) {
        if (isset($_POST['password'])) {
                if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
                        OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword');
Nextcloud server, a safe home for all your data: https://github.com/nextcloud/server