Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge branch 'release/1.0.11'
  • Loading branch information
malte-christian committed Jan 20, 2017
2 parents f786ca1 + ffe454a commit e0454f9
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 14 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
@@ -1,5 +1,10 @@
# Changelog

## 1.0.11 (January 20, 2017)

### Security
- Fixed replay attack with password reset links when debug toolbar is enabled, discovered by SecureLayer7

## 1.0.10 (December 22, 2016)

### Fixed
Expand Down
2 changes: 1 addition & 1 deletion app/system/config.php
Expand Up @@ -4,7 +4,7 @@

'application' => [

'version' => '1.0.10'
'version' => '1.0.11'

],

Expand Down
1 change: 1 addition & 0 deletions app/system/modules/settings/app/components/system.vue
Expand Up @@ -34,6 +34,7 @@
<label><input type="checkbox" value="1" v-model="$root.config.debug.enabled" :disabled="!sqlite"> {{ 'Enable debug toolbar' | trans }}</label>
</p>
<p class="uk-form-help-block" v-if="!sqlite">{{ 'Please enable the SQLite database extension.' | trans }}</p>
<p class="uk-form-help-block" v-if="$root.config.application.debug || $root.config.debug.enabled">{{ 'Please note that enabling debug mode or toolbar has serious security implications.' | trans }}</p>
</div>
</div>

Expand Down
33 changes: 21 additions & 12 deletions app/system/modules/user/src/Controller/ResetPasswordController.php
Expand Up @@ -25,7 +25,7 @@ public function indexAction()
}

/**
* @Request({"email": "string"})
* @Request({"email"})
*/
public function requestAction($email)
{
Expand All @@ -51,9 +51,8 @@ public function requestAction($email)
throw new Exception(__('Your account has not been activated or is blocked.'));
}

$user->activation = App::get('auth.random')->generateString(32);

$url = App::url('@user/resetpassword/confirm', ['user' => $user->username, 'key' => $user->activation], 0);
$key = App::get('auth.random')->generateString(32);
$url = App::url('@user/resetpassword/confirm', compact('key'), 0);

try {

Expand All @@ -67,6 +66,7 @@ public function requestAction($email)
throw new Exception(__('Unable to send confirmation link.'));
}

$user->activation = $key;
$user->save();

App::message()->success(__('Check your email for the confirmation link.'));
Expand All @@ -85,15 +85,26 @@ public function requestAction($email)
}

/**
* @Request({"user", "key"})
* @Request({"key", "password"})
*/
public function confirmAction($username = "", $activation = "")
public function confirmAction($activation = '', $password = '')
{
if (empty($username) || empty($activation) || !$user = User::where(compact('username', 'activation'))->first()) {
if ($activation and $user = User::where(compact('activation'))->first()) {

App::session()->set('activation', [
'key' => $activation,
'user' => $user->id,
]);

$user->activation = null;
$user->save();
}

if (!$data = App::session()->get('activation') or $data['key'] != $activation) {
App::abort(400, __('Invalid key.'));
}

if ($user->isBlocked()) {
if (!$user = User::find($data['user']) or $user->isBlocked()) {
App::abort(400, __('Your account has not been activated or is blocked.'));
}

Expand All @@ -105,8 +116,6 @@ public function confirmAction($username = "", $activation = "")
throw new Exception(__('Invalid token. Please try again.'));
}

$password = App::request()->request->get('password');

if (empty($password)) {
throw new Exception(__('Enter password.'));
}
Expand All @@ -115,10 +124,11 @@ public function confirmAction($username = "", $activation = "")
throw new Exception(__('Invalid password.'));
}

$user->password = App::get('auth.password')->hash($password);
$user->activation = null;
$user->password = App::get('auth.password')->hash($password);
$user->save();

App::session()->remove('activation');
App::message()->success(__('Your password has been reset.'));

return App::redirect('@user/login');
Expand All @@ -133,7 +143,6 @@ public function confirmAction($username = "", $activation = "")
'title' => __('Reset Confirm'),
'name' => 'system/user/reset-confirm.php'
],
'username' => $username,
'activation' => $activation,
'error' => isset($error) ? $error : ''
];
Expand Down
2 changes: 1 addition & 1 deletion app/system/modules/user/views/reset-confirm.php
@@ -1,6 +1,6 @@
<?php $view->script('uikit-form-password') ?>

<form class="pk-user pk-user-reset uk-form uk-form-stacked uk-width-medium-1-2 uk-width-large-1-3 uk-container-center" action="<?= $view->url('@user/resetpassword/confirm', ['user' => $username, 'key' => $activation]) ?>" method="post">
<form class="pk-user pk-user-reset uk-form uk-form-stacked uk-width-medium-1-2 uk-width-large-1-3 uk-container-center" action="<?= $view->url('@user/resetpassword/confirm', ['key' => $activation]) ?>" method="post">

<?php if($error): ?>
<div class="uk-alert uk-alert-danger">
Expand Down

0 comments on commit e0454f9

Please sign in to comment.