diff options
author | Joas Schilling <coding@schilljs.com> | 2023-02-08 22:59:18 +0100 |
---|---|---|
committer | Joas Schilling <coding@schilljs.com> | 2023-02-09 09:58:35 +0100 |
commit | 7a85a1596ef09024a351daaadfb82a57c3aa0410 (patch) | |
tree | f607359e4685c0921280594ab57af0fec18d70d6 /lib/private/Authentication/Token/PublicKeyTokenProvider.php | |
parent | 03a585ab4fe499753d9dc03e17dd82aeaea8205e (diff) | |
download | nextcloud-server-7a85a1596ef09024a351daaadfb82a57c3aa0410.tar.gz nextcloud-server-7a85a1596ef09024a351daaadfb82a57c3aa0410.zip |
fix(authentication): Check minimum length when creating app tokens
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'lib/private/Authentication/Token/PublicKeyTokenProvider.php')
-rw-r--r-- | lib/private/Authentication/Token/PublicKeyTokenProvider.php | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/lib/private/Authentication/Token/PublicKeyTokenProvider.php b/lib/private/Authentication/Token/PublicKeyTokenProvider.php index bbedd54f91a..978462af6a2 100644 --- a/lib/private/Authentication/Token/PublicKeyTokenProvider.php +++ b/lib/private/Authentication/Token/PublicKeyTokenProvider.php @@ -46,6 +46,8 @@ use OCP\Security\IHasher; use Psr\Log\LoggerInterface; class PublicKeyTokenProvider implements IProvider { + public const TOKEN_MIN_LENGTH = 22; + use TTransactional; /** @var PublicKeyTokenMapper */ @@ -98,6 +100,12 @@ class PublicKeyTokenProvider implements IProvider { string $name, int $type = IToken::TEMPORARY_TOKEN, int $remember = IToken::DO_NOT_REMEMBER): IToken { + if (strlen($token) < self::TOKEN_MIN_LENGTH) { + $exception = new InvalidTokenException('Token is too short, minimum of ' . self::TOKEN_MIN_LENGTH . ' characters is required, ' . strlen($token) . ' characters given'); + $this->logger->error('Invalid token provided when generating new token', ['exception' => $exception]); + throw $exception; + } + if (mb_strlen($name) > 128) { $name = mb_substr($name, 0, 120) . '…'; } @@ -122,14 +130,14 @@ class PublicKeyTokenProvider implements IProvider { * @see \OCA\Preferred_Providers\Controller\PasswordController::generateAppPassword * @see \OCA\GlobalSiteSelector\TokenHandler::generateAppPassword * - * Token length: 32-256 - https://www.php.net/manual/en/session.configuration.php#ini.session.sid-length + * Token length: 22-256 - https://www.php.net/manual/en/session.configuration.php#ini.session.sid-length * @see \OC\User\Session::createSessionToken * * Token length: 29 * @see \OCA\Settings\Controller\AuthSettingsController::generateRandomDeviceToken * @see \OCA\Registration\Service\RegistrationService::generateAppPassword */ - if (strlen($tokenId) < 29) { + if (strlen($tokenId) < self::TOKEN_MIN_LENGTH) { throw new InvalidTokenException('Token is too short for a generated token, should be the password during basic auth'); } |