Doublehash the token to prevent timing attacks

2 files changed, 3 insertions, 3 deletions

diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php
index 58ac8f4acc6..20cb617854a 100644
--- a/core/lostpassword/index.php
+++ b/core/lostpassword/index.php
@@ -13,8 +13,8 @@ require_once('../../lib/base.php');
 // Someone lost their password:
 if (isset($_POST['user'])) {
 	if (OC_User::userExists($_POST['user'])) {
-		$token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10));
-		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
+		$token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
+		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
 		$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
 		if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
 			$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token;
diff --git a/core/lostpassword/resetpassword.php b/core/lostpassword/resetpassword.php
index 1c78d720947..43d9cf6dbe8 100644
--- a/core/lostpassword/resetpassword.php
+++ b/core/lostpassword/resetpassword.php
@@ -10,7 +10,7 @@ $RUNTIME_NOAPPS = TRUE; //no apps
 require_once('../../lib/base.php');
 
 // Someone wants to reset their password:
-if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) {
+if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) {
 	if (isset($_POST['password'])) {
 		if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
 			OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword');