Skip to content
Permalink
Browse files

[SS-2016-008] Reset `Member::Salt` on password change

  • Loading branch information...
dhensby authored and Damian Mooyman committed Jul 15, 2016
1 parent 4d9f929 commit 298f61521c55b07e5c898a92264dbe111735a87a
Showing with 6 additions and 3 deletions.
  1. +6 −3 security/Member.php
@@ -786,8 +786,8 @@ public static function currentUserID() {
* @return string Returns a random password.
*/
public static function create_new_password() {
if(file_exists(Security::get_word_list())) {
$words = file(Security::get_word_list());
if(file_exists(Security::config()->word_list)) {
$words = file(Security::config()->word_list);
list($usec, $sec) = explode(' ', microtime());
srand($sec + ((float) $usec * 100000));
@@ -799,7 +799,7 @@ public static function create_new_password() {
} else {
$random = rand();
$string = md5($random);
$output = substr($string, 0, 6);
$output = substr($string, 0, 8);
return $output;
}
}
@@ -858,6 +858,9 @@ public function onBeforeWrite() {
// Note that this only works with cleartext passwords, as we can't rehash
// existing passwords.
if((!$this->ID && $this->Password) || $this->isChanged('Password')) {
//reset salt so that it gets regenerated - this will invalidate any persistant login cookies
// or other information encrypted with this Member's settings (see self::encryptWithUserSettings)
$this->Salt = '';
// Password was changed: encrypt the password according the settings
$encryption_details = Security::encrypt_password(
$this->Password, // this is assumed to be cleartext

0 comments on commit 298f615

Please sign in to comment.
You can’t perform that action at this time.