Skip to content
This repository was archived by the owner on Dec 1, 2023. It is now read-only.

Commit e0454f9

Browse files
Merge branch 'release/1.0.11'
2 parents f786ca1 + ffe454a commit e0454f9

File tree

5 files changed

+29
-14
lines changed

5 files changed

+29
-14
lines changed

Diff for: CHANGELOG.md

+5
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,10 @@
11
# Changelog
22

3+
## 1.0.11 (January 20, 2017)
4+
5+
### Security
6+
- Fixed replay attack with password reset links when debug toolbar is enabled, discovered by SecureLayer7
7+
38
## 1.0.10 (December 22, 2016)
49

510
### Fixed

Diff for: app/system/config.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44

55
'application' => [
66

7-
'version' => '1.0.10'
7+
'version' => '1.0.11'
88

99
],
1010

Diff for: app/system/modules/settings/app/components/system.vue

+1
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@
3434
<label><input type="checkbox" value="1" v-model="$root.config.debug.enabled" :disabled="!sqlite"> {{ 'Enable debug toolbar' | trans }}</label>
3535
</p>
3636
<p class="uk-form-help-block" v-if="!sqlite">{{ 'Please enable the SQLite database extension.' | trans }}</p>
37+
<p class="uk-form-help-block" v-if="$root.config.application.debug || $root.config.debug.enabled">{{ 'Please note that enabling debug mode or toolbar has serious security implications.' | trans }}</p>
3738
</div>
3839
</div>
3940

Diff for: app/system/modules/user/src/Controller/ResetPasswordController.php

+21-12
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ public function indexAction()
2525
}
2626

2727
/**
28-
* @Request({"email": "string"})
28+
* @Request({"email"})
2929
*/
3030
public function requestAction($email)
3131
{
@@ -51,9 +51,8 @@ public function requestAction($email)
5151
throw new Exception(__('Your account has not been activated or is blocked.'));
5252
}
5353

54-
$user->activation = App::get('auth.random')->generateString(32);
55-
56-
$url = App::url('@user/resetpassword/confirm', ['user' => $user->username, 'key' => $user->activation], 0);
54+
$key = App::get('auth.random')->generateString(32);
55+
$url = App::url('@user/resetpassword/confirm', compact('key'), 0);
5756

5857
try {
5958

@@ -67,6 +66,7 @@ public function requestAction($email)
6766
throw new Exception(__('Unable to send confirmation link.'));
6867
}
6968

69+
$user->activation = $key;
7070
$user->save();
7171

7272
App::message()->success(__('Check your email for the confirmation link.'));
@@ -85,15 +85,26 @@ public function requestAction($email)
8585
}
8686

8787
/**
88-
* @Request({"user", "key"})
88+
* @Request({"key", "password"})
8989
*/
90-
public function confirmAction($username = "", $activation = "")
90+
public function confirmAction($activation = '', $password = '')
9191
{
92-
if (empty($username) || empty($activation) || !$user = User::where(compact('username', 'activation'))->first()) {
92+
if ($activation and $user = User::where(compact('activation'))->first()) {
93+
94+
App::session()->set('activation', [
95+
'key' => $activation,
96+
'user' => $user->id,
97+
]);
98+
99+
$user->activation = null;
100+
$user->save();
101+
}
102+
103+
if (!$data = App::session()->get('activation') or $data['key'] != $activation) {
93104
App::abort(400, __('Invalid key.'));
94105
}
95106

96-
if ($user->isBlocked()) {
107+
if (!$user = User::find($data['user']) or $user->isBlocked()) {
97108
App::abort(400, __('Your account has not been activated or is blocked.'));
98109
}
99110

@@ -105,8 +116,6 @@ public function confirmAction($username = "", $activation = "")
105116
throw new Exception(__('Invalid token. Please try again.'));
106117
}
107118

108-
$password = App::request()->request->get('password');
109-
110119
if (empty($password)) {
111120
throw new Exception(__('Enter password.'));
112121
}
@@ -115,10 +124,11 @@ public function confirmAction($username = "", $activation = "")
115124
throw new Exception(__('Invalid password.'));
116125
}
117126

118-
$user->password = App::get('auth.password')->hash($password);
119127
$user->activation = null;
128+
$user->password = App::get('auth.password')->hash($password);
120129
$user->save();
121130

131+
App::session()->remove('activation');
122132
App::message()->success(__('Your password has been reset.'));
123133

124134
return App::redirect('@user/login');
@@ -133,7 +143,6 @@ public function confirmAction($username = "", $activation = "")
133143
'title' => __('Reset Confirm'),
134144
'name' => 'system/user/reset-confirm.php'
135145
],
136-
'username' => $username,
137146
'activation' => $activation,
138147
'error' => isset($error) ? $error : ''
139148
];

Diff for: app/system/modules/user/views/reset-confirm.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
<?php $view->script('uikit-form-password') ?>
22

3-
<form class="pk-user pk-user-reset uk-form uk-form-stacked uk-width-medium-1-2 uk-width-large-1-3 uk-container-center" action="<?= $view->url('@user/resetpassword/confirm', ['user' => $username, 'key' => $activation]) ?>" method="post">
3+
<form class="pk-user pk-user-reset uk-form uk-form-stacked uk-width-medium-1-2 uk-width-large-1-3 uk-container-center" action="<?= $view->url('@user/resetpassword/confirm', ['key' => $activation]) ?>" method="post">
44

55
<?php if($error): ?>
66
<div class="uk-alert uk-alert-danger">

0 commit comments

Comments
 (0)