From f459a35cf4fe475d505e2eebbc10428adbab959e Mon Sep 17 00:00:00 2001 From: Lynn Stephenson <63118982+lynn-stephenson@users.noreply.github.com> Date: Sat, 4 Apr 2020 08:06:49 +0000 Subject: [PATCH 1/2] Update lostpass.php use CSPRNG for password reset token generation --- mod/lostpass.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mod/lostpass.php b/mod/lostpass.php index 2ce396e36..8a1a9f36e 100644 --- a/mod/lostpass.php +++ b/mod/lostpass.php @@ -41,7 +41,7 @@ function lostpass_post(App $a) DI::baseUrl()->redirect(); } - $pwdreset_token = Strings::getRandomName(12) . random_int(1000, 9999); + $pwdreset_token = Strings::getRandomHex(32); $fields = [ 'pwdreset' => $pwdreset_token, From 6cbcea1aac202e53cef2c8755f076ce97f01a56f Mon Sep 17 00:00:00 2001 From: Lynn Stephenson <63118982+lynn-stephenson@users.noreply.github.com> Date: Sat, 4 Apr 2020 08:10:39 +0000 Subject: [PATCH 2/2] Update lostpass.php reduce info leakage on password reset tokens --- mod/lostpass.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mod/lostpass.php b/mod/lostpass.php index 8a1a9f36e..211477b0d 100644 --- a/mod/lostpass.php +++ b/mod/lostpass.php @@ -44,7 +44,7 @@ function lostpass_post(App $a) $pwdreset_token = Strings::getRandomHex(32); $fields = [ - 'pwdreset' => $pwdreset_token, + 'pwdreset' => hash('sha256', $pwdreset_token), 'pwdreset_time' => DateTimeFormat::utcNow() ]; $result = DBA::update('user', $fields, ['uid' => $user['uid']]); @@ -95,7 +95,7 @@ function lostpass_content(App $a) if ($a->argc > 1) { $pwdreset_token = $a->argv[1]; - $user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'pwdreset_time', 'language'], ['pwdreset' => $pwdreset_token]); + $user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'pwdreset_time', 'language'], ['pwdreset' => hash('sha256', $pwdreset_token)]); if (!DBA::isResult($user)) { notice(DI::l10n()->t("Request could not be verified. \x28You may have previously submitted it.\x29 Password reset failed."));