Skip to content
Permalink
Browse files

Invalidate the user sessions if a password changes (see CVE-2019-10641)

  • Loading branch information...
leofeyer committed Apr 9, 2019
1 parent e4f0bad commit 119a1b5bd9e62d27ca2838727084d04f3b7fcd32
@@ -1,6 +1,13 @@
Contao Open Source CMS changelog
================================

Version 3.5.39 (2019-04-XX)
---------------------------

### Fixed
Invalidate the user sessions if a password changes (see CVE-2019-10641).


Version 3.5.38 (2018-12-21)
---------------------------

@@ -608,6 +608,10 @@ public function setNewPassword($strPassword, $user)
}
}
// Invalidate the user sessions if the password changes
$this->Database->prepare("DELETE FROM tl_session WHERE name='FE_USER_AUTH' AND pid=? AND sessionID!=?")
->execute($user->id, session_id());
return $strPassword;
}
@@ -242,6 +242,10 @@
'exclude' => true,
'inputType' => 'password',
'eval' => array('mandatory'=>true, 'preserveTags'=>true, 'minlength'=>Config::get('minPasswordLength')),
'save_callback' => array
(
array('tl_user', 'invalidateSessions')
),
'sql' => "varchar(128) NOT NULL default ''"
),
'pwChange' => array
@@ -732,6 +736,26 @@ public function checkAdminStatus($varValue, DataContainer $dc)
}
/**
* Invalidate the user sessions if the password changes
*
* The password widget only triggers the save_callback if the password has actually
* changed, therefore we do not need to check the active record here.
*
* @param mixed $varValue
* @param DataContainer $dc
*
* @return mixed
*/
public function invalidateSessions($varValue, DataContainer $dc)
{
$this->Database->prepare("DELETE FROM tl_session WHERE name='BE_USER_AUTH' AND pid=? AND sessionID!=?")
->execute($dc->id, session_id());
return $varValue;
}
/**
* Prevent administrators from disabling their own account
*
@@ -186,6 +186,10 @@ protected function compile()
}
}
// Invalidate the user sessions if the password changes
$this->Database->prepare("DELETE FROM tl_session WHERE name='FE_USER_AUTH' AND pid=? AND sessionID!=?")
->execute($objMember->id, session_id());
// Check whether there is a jumpTo page
if (($objJumpTo = $this->objModel->getRelated('jumpTo')) !== null)
{
@@ -254,6 +254,10 @@ protected function setNewPassword()
}
}
// Invalidate the user sessions if the password changes
$this->Database->prepare("DELETE FROM tl_session WHERE name='FE_USER_AUTH' AND pid=? AND sessionID!=?")
->execute($objMember->id, session_id());
// Redirect to the jumpTo page
if (($objTarget = $this->objModel->getRelated('reg_jumpTo')) !== null)
{

0 comments on commit 119a1b5

Please sign in to comment.
You can’t perform that action at this time.