diff options
| author | Thomas Müller <thomas.mueller@tmit.eu> | 2015-10-22 17:32:40 +0200 |
|---|---|---|
| committer | Thomas Müller <thomas.mueller@tmit.eu> | 2015-10-22 17:32:40 +0200 |
| commit | 4f5ff9c105360335d525ac2bf887bdd7ba4fe03a (patch) | |
| tree | 7f54572f79ce47079ccb2bd8856b3ef9976c582b | |
| parent | dc32bf459446bdbce327dcf7bb9e07ca0a7a2bf4 (diff) | |
| download | nextcloud-server-4f5ff9c105360335d525ac2bf887bdd7ba4fe03a.tar.gz nextcloud-server-4f5ff9c105360335d525ac2bf887bdd7ba4fe03a.zip | |
Ensure the password is only hashed in case it's changed on the client - fixes #19950
| -rw-r--r-- | core/js/shareitemmodel.js | 11 | ||||
| -rw-r--r-- | lib/private/share/share.php | 18 |
2 files changed, 20 insertions, 9 deletions
diff --git a/core/js/shareitemmodel.js b/core/js/shareitemmodel.js index 1cf116f08f9..ae3cb0ce2e3 100644 --- a/core/js/shareitemmodel.js +++ b/core/js/shareitemmodel.js @@ -116,7 +116,8 @@ // TODO: use backbone's default value mechanism once this is a separate model var requiredAttributes = [ - { name: 'password', defaultValue: '' }, + { name: 'password', defaultValue: '' }, + { name: 'passwordChanged', defaultValue: false }, { name: 'permissions', defaultValue: OC.PERMISSION_READ }, { name: 'expiration', defaultValue: this.configModel.getDefaultExpirationDateString() } ]; @@ -136,11 +137,16 @@ } }); + var password = { + password: attributes.password, + passwordChanged: attributes.passwordChanged + }; + OC.Share.share( itemType, itemSource, OC.Share.SHARE_TYPE_LINK, - attributes.password, + password, attributes.permissions, this.fileInfoModel.get('name'), attributes.expiration, @@ -208,6 +214,7 @@ */ setPassword: function(password) { this.get('linkShare').password = password; + this.get('linkShare').passwordChanged = true; }, addShare: function(attributes, options) { diff --git a/lib/private/share/share.php b/lib/private/share/share.php index b015d7738b5..1b31df554cb 100644 --- a/lib/private/share/share.php +++ b/lib/private/share/share.php @@ -775,15 +775,19 @@ class Share extends Constants { $updateExistingShare = true; } - // Generate hash of password - same method as user passwords - if (is_string($shareWith) && $shareWith !== '') { - self::verifyPassword($shareWith); - $shareWith = \OC::$server->getHasher()->hash($shareWith); + // Generate hash of password if the password was changed on the client + if (isset($shareWith['passwordChanged']) && $shareWith['passwordChanged'] === 'true') { + $shareWith = $shareWith['password']; + if (is_string($shareWith) && $shareWith !== '') { + self::verifyPassword($shareWith); + $shareWith = \OC::$server->getHasher()->hash($shareWith); + } } else { - // reuse the already set password, but only if we change permissions - // otherwise the user disabled the password protection - if ($checkExists && (int)$permissions !== (int)$oldPermissions) { + // reuse the existing password if it was not updated from the client + if ($updateExistingShare) { $shareWith = $checkExists['share_with']; + } else { + $shareWith = ''; } } |