Skip to content
Permalink
Browse files Browse the repository at this point in the history
[SECURITY] Respect expiration time of password reset token
When a TYPO3 backend user performs a password reset request, a
password reset link including an expiration time is sent to the
user. The expiration time is included in HMAC calculation of
the saved password reset hash, but it is never evaluated if the
expiration time is exceeded.

This change adds the missing validity check for the expiration
time included in the password reset link.

Resolves: #97998
Releases: main, 11.5, 10.4
Change-Id: I8a1730faf6489e5c5eebb44ff4f82606785bd637
Security-Bulletin: TYPO3-CORE-SA-2022-008
Security-References: CVE-2022-36106
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75717
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
derhansen authored and ohader committed Sep 13, 2022
1 parent f8b83ce commit 56af2bd
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions typo3/sysext/backend/Classes/Authentication/PasswordReset.php
Expand Up @@ -278,6 +278,11 @@ public function isValidResetTokenFromRequest(ServerRequestInterface $request): b
*/
protected function findValidUserForToken(string $token, string $identity, int $expirationTimestamp): ?array
{
// Early return if token expired
if ($expirationTimestamp < time()) {
return null;
}

$user = null;
// Find the token in the database
$queryBuilder = $this->getPreparedQueryBuilder();
Expand Down

0 comments on commit 56af2bd

Please sign in to comment.