summaryrefslogtreecommitdiffstats
path: root/core/lostpassword/index.php
diff options
context:
space:
mode:
Diffstat (limited to 'core/lostpassword/index.php')
-rw-r--r--core/lostpassword/index.php21
1 files changed, 7 insertions, 14 deletions
diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php
index 3f58b03c982..906208dcbc4 100644
--- a/core/lostpassword/index.php
+++ b/core/lostpassword/index.php
@@ -13,11 +13,11 @@ require_once '../../lib/base.php';
// Someone lost their password:
if (isset($_POST['user'])) {
if (OC_User::userExists($_POST['user'])) {
- $token = sha1($_POST['user'].md5(uniqid(rand(), true)));
- OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
+ $token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
+ OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
- if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
- $link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php', array('user' => urlencode($_POST['user']), 'token' => $token));
+ if (!empty($email)) {
+ $link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php', array('user' => $_POST['user'], 'token' => $token));
$tmpl = new OC_Template('core/lostpassword', 'email');
$tmpl->assign('link', $link, false);
$msg = $tmpl->fetchPage();
@@ -25,18 +25,11 @@ if (isset($_POST['user'])) {
$from = 'lostpassword-noreply@' . OCP\Util::getServerHost();
OC_MAIL::send($email, $_POST['user'], $l->t('ownCloud password reset'), $msg, $from, 'ownCloud');
echo('sent');
-
}
- $sectoken=rand(1000000, 9999999);
- $_SESSION['sectoken']=$sectoken;
- OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => true, 'sectoken' => $sectoken));
+ OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => true));
} else {
- $sectoken=rand(1000000, 9999999);
- $_SESSION['sectoken']=$sectoken;
- OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => true, 'requested' => false, 'sectoken' => $sectoken));
+ OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => true, 'requested' => false));
}
} else {
- $sectoken=rand(1000000, 9999999);
- $_SESSION['sectoken']=$sectoken;
- OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => false, 'sectoken' => $sectoken));
+ OC_Template::printGuestPage('core/lostpassword', 'lostpassword', array('error' => false, 'requested' => false));
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-04 03:35:42 +0000