Skip to content
Permalink
Browse files

Merge branch 'release/1.0.11'

  • Loading branch information...
MalteScharenberg committed Jan 20, 2017
2 parents f786ca1 + ffe454a commit e0454f9c037c427a5ff76a57e78dbf8cc00c268b
@@ -1,5 +1,10 @@
# Changelog

## 1.0.11 (January 20, 2017)

### Security
- Fixed replay attack with password reset links when debug toolbar is enabled, discovered by SecureLayer7

## 1.0.10 (December 22, 2016)

### Fixed
@@ -4,7 +4,7 @@
'application' => [
'version' => '1.0.10'
'version' => '1.0.11'
],
@@ -34,6 +34,7 @@
<label><input type="checkbox" value="1" v-model="$root.config.debug.enabled" :disabled="!sqlite"> {{ 'Enable debug toolbar' | trans }}</label>
</p>
<p class="uk-form-help-block" v-if="!sqlite">{{ 'Please enable the SQLite database extension.' | trans }}</p>
<p class="uk-form-help-block" v-if="$root.config.application.debug || $root.config.debug.enabled">{{ 'Please note that enabling debug mode or toolbar has serious security implications.' | trans }}</p>
</div>
</div>

@@ -25,7 +25,7 @@ public function indexAction()
}
/**
* @Request({"email": "string"})
* @Request({"email"})
*/
public function requestAction($email)
{
@@ -51,9 +51,8 @@ public function requestAction($email)
throw new Exception(__('Your account has not been activated or is blocked.'));
}
$user->activation = App::get('auth.random')->generateString(32);
$url = App::url('@user/resetpassword/confirm', ['user' => $user->username, 'key' => $user->activation], 0);
$key = App::get('auth.random')->generateString(32);
$url = App::url('@user/resetpassword/confirm', compact('key'), 0);
try {
@@ -67,6 +66,7 @@ public function requestAction($email)
throw new Exception(__('Unable to send confirmation link.'));
}
$user->activation = $key;
$user->save();
App::message()->success(__('Check your email for the confirmation link.'));
@@ -85,15 +85,26 @@ public function requestAction($email)
}
/**
* @Request({"user", "key"})
* @Request({"key", "password"})
*/
public function confirmAction($username = "", $activation = "")
public function confirmAction($activation = '', $password = '')
{
if (empty($username) || empty($activation) || !$user = User::where(compact('username', 'activation'))->first()) {
if ($activation and $user = User::where(compact('activation'))->first()) {
App::session()->set('activation', [
'key' => $activation,
'user' => $user->id,
]);
$user->activation = null;
$user->save();
}
if (!$data = App::session()->get('activation') or $data['key'] != $activation) {
App::abort(400, __('Invalid key.'));
}
if ($user->isBlocked()) {
if (!$user = User::find($data['user']) or $user->isBlocked()) {
App::abort(400, __('Your account has not been activated or is blocked.'));
}
@@ -105,8 +116,6 @@ public function confirmAction($username = "", $activation = "")
throw new Exception(__('Invalid token. Please try again.'));
}
$password = App::request()->request->get('password');
if (empty($password)) {
throw new Exception(__('Enter password.'));
}
@@ -115,10 +124,11 @@ public function confirmAction($username = "", $activation = "")
throw new Exception(__('Invalid password.'));
}
$user->password = App::get('auth.password')->hash($password);
$user->activation = null;
$user->password = App::get('auth.password')->hash($password);
$user->save();
App::session()->remove('activation');
App::message()->success(__('Your password has been reset.'));
return App::redirect('@user/login');
@@ -133,7 +143,6 @@ public function confirmAction($username = "", $activation = "")
'title' => __('Reset Confirm'),
'name' => 'system/user/reset-confirm.php'
],
'username' => $username,
'activation' => $activation,
'error' => isset($error) ? $error : ''
];
@@ -1,6 +1,6 @@
<?php $view->script('uikit-form-password') ?>

<form class="pk-user pk-user-reset uk-form uk-form-stacked uk-width-medium-1-2 uk-width-large-1-3 uk-container-center" action="<?= $view->url('@user/resetpassword/confirm', ['user' => $username, 'key' => $activation]) ?>" method="post">
<form class="pk-user pk-user-reset uk-form uk-form-stacked uk-width-medium-1-2 uk-width-large-1-3 uk-container-center" action="<?= $view->url('@user/resetpassword/confirm', ['key' => $activation]) ?>" method="post">

<?php if($error): ?>
<div class="uk-alert uk-alert-danger">

0 comments on commit e0454f9

Please sign in to comment.
You can’t perform that action at this time.