From 7a85a1596ef09024a351daaadfb82a57c3aa0410 Mon Sep 17 00:00:00 2001 From: Joas Schilling Date: Wed, 8 Feb 2023 22:59:18 +0100 Subject: [PATCH] fix(authentication): Check minimum length when creating app tokens Signed-off-by: Joas Schilling --- .../Authentication/Token/PublicKeyTokenProvider.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index bbedd54f91a..978462af6a2 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -46,6 +46,8 @@ use OCP\Security\IHasher; use Psr\Log\LoggerInterface; class PublicKeyTokenProvider implements IProvider { + public const TOKEN_MIN_LENGTH = 22; + use TTransactional; /** @var PublicKeyTokenMapper */ @@ -98,6 +100,12 @@ class PublicKeyTokenProvider implements IProvider { string $name, int $type = IToken::TEMPORARY_TOKEN, int $remember = IToken::DO_NOT_REMEMBER): IToken { + if (strlen($token) < self::TOKEN_MIN_LENGTH) { + $exception = new InvalidTokenException('Token is too short, minimum of ' . self::TOKEN_MIN_LENGTH . ' characters is required, ' . strlen($token) . ' characters given'); + $this->logger->error('Invalid token provided when generating new token', ['exception' => $exception]); + throw $exception; + } + if (mb_strlen($name) > 128) { $name = mb_substr($name, 0, 120) . '…'; } @@ -122,14 +130,14 @@ class PublicKeyTokenProvider implements IProvider { * @see \OCA\Preferred_Providers\Controller\PasswordController::generateAppPassword * @see \OCA\GlobalSiteSelector\TokenHandler::generateAppPassword * - * Token length: 32-256 - https://www.php.net/manual/en/session.configuration.php#ini.session.sid-length + * Token length: 22-256 - https://www.php.net/manual/en/session.configuration.php#ini.session.sid-length * @see \OC\User\Session::createSessionToken * * Token length: 29 * @see \OCA\Settings\Controller\AuthSettingsController::generateRandomDeviceToken * @see \OCA\Registration\Service\RegistrationService::generateAppPassword */ - if (strlen($tokenId) < 29) { + if (strlen($tokenId) < self::TOKEN_MIN_LENGTH) { throw new InvalidTokenException('Token is too short for a generated token, should be the password during basic auth'); } -- 2.39.5