Skip to content
Permalink
Browse files

Reset-password does not save a plaintext password.

  • Loading branch information...
kohler committed Jul 23, 2019
1 parent e5ecf55 commit a599bf95c02b2410bf943beeb5b15af4d7b7ca04
Showing with 9 additions and 19 deletions.
  1. +2 −5 resetpassword.php
  2. +7 −14 src/contact.php
@@ -32,17 +32,14 @@
if (isset($Qreq->go) && $Qreq->post_ok()) {
$Qreq->password = trim((string) $Qreq->password);
$Qreq->password2 = trim((string) $Qreq->password2);
if ($Qreq->password == "") {
if ($Qreq->password === "") {
Conf::msg_error("You must enter a password.");
} else if (!Contact::valid_password($Qreq->password)) {
Conf::msg_error("Invalid password.");
} else if ($Qreq->password !== $Qreq->password2) {
Conf::msg_error("The two passwords you entered did not match.");
} else {
$flags = 0;
if ($Qreq->password === $Qreq->autopassword)
$flags |= Contact::CHANGE_PASSWORD_PLAINTEXT;
$Acct->change_password($Qreq->password, $flags);
$Acct->change_password($Qreq->password, 0);
if (!$iscdb || !($log_acct = $Conf->user_by_email($Acct->email)))
$log_acct = $Acct;
$log_acct->log_activity("Password reset via " . substr($resetcap, 0, 8) . "...");
@@ -1419,8 +1419,7 @@ function check_password($input, $info = null) {
return $cdbok || $localok;
}
const CHANGE_PASSWORD_PLAINTEXT = 1;
const CHANGE_PASSWORD_ENABLE = 2;
const CHANGE_PASSWORD_ENABLE = 1;
function change_password($new, $flags) {
global $Now;
assert(!$this->conf->external_login());
@@ -1432,28 +1431,22 @@ function change_password($new, $flags) {
|| ($cdbu && (string) $cdbu->password !== "")))
return false;
if ($new === null) {
$plaintext = $new === null;
if ($plaintext) {
$new = self::random_password();
$flags |= self::CHANGE_PASSWORD_PLAINTEXT;
$use_time = 0;
}
assert(self::valid_password($new));
$hash = $new;
if ($hash && !$plaintext && $this->check_password_encryption("", !!$cdbu))
$hash = $this->hash_password($hash);
if ($cdbu) {
$hash = $new;
if ($hash
&& !($flags & self::CHANGE_PASSWORD_PLAINTEXT)
&& $this->check_password_encryption("", true))
$hash = $this->hash_password($hash);
$cdbu->apply_updater(["passwordUseTime" => $use_time, "password" => $hash, "passwordTime" => $Now], true);
if ($this->contactId && $this->password)
$this->apply_updater(["passwordUseTime" => $use_time, "password" => "", "passwordTime" => $Now], false);
} else if ($this->contactId) {
$hash = $new;
if ($hash
&& !($flags & self::CHANGE_PASSWORD_PLAINTEXT)
&& $this->check_password_encryption("", false))
$hash = $this->hash_password($hash);
$this->apply_updater(["passwordUseTime" => $use_time, "password" => $hash, "passwordTime" => $Now], false);
}
return true;

0 comments on commit a599bf9

Please sign in to comment.
You can’t perform that action at this time.