Make password reset use a secure hash (#17961)

matomo-org · Sep 8, 2021 · 7e82e80 · 7e82e80
1 parent 4191639
commit 7e82e80
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/plugins/Login/PasswordResetter.php b/plugins/Login/PasswordResetter.php
@@ -347,7 +347,7 @@ protected function getSalt()
      */
     protected function hashData($data)
     {
-        return Common::hash($data);
+        return $this->passwordHelper->hash($data);
     }
 
     /**

diff --git a/plugins/Login/tests/Integration/PasswordResetterTest.php b/plugins/Login/tests/Integration/PasswordResetterTest.php
@@ -195,7 +195,8 @@ public function provideContainerConfig()
                 ['Test.Mail.send', \DI\value(function (PHPMailer $mail) {
                     $body = $mail->createBody();
                     $body = preg_replace("/=[\r\n]+/", '', $body);
-                    preg_match('/resetToken=[\s]*3D([a-zA-Z0-9=\s]+)<\/p>/', $body, $matches);
+                    // This regex should include the range of characters Piwik\Auth\Password->hash() might return.
+                    preg_match('/resetToken=[\s]*3D([^<]+)<\/p>/', $body, $matches);
                     if (!empty($matches[1])) {
                         $capturedToken = $matches[1];
                         $capturedToken = preg_replace('/=\s*/', '', $capturedToken);