[Pkg-owncloud-commits] [owncloud] 55/73: Doublehash the token to prevent timing attacks

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to annotated tag v4.0.10
in repository owncloud.

commit 306eb6d31933238f96de4508383e33c36a139bfa
Author: Lukas Reschke <lukas at statuscode.ch>
Date:   Sun Oct 14 12:12:55 2012 +0200

    Doublehash the token to prevent timing attacks
---
 core/lostpassword/index.php         |    4 ++--
 core/lostpassword/resetpassword.php |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php
index 58ac8f4..20cb617 100644
--- a/core/lostpassword/index.php
+++ b/core/lostpassword/index.php
@@ -13,8 +13,8 @@ require_once('../../lib/base.php');
 // Someone lost their password:
 if (isset($_POST['user'])) {
 	if (OC_User::userExists($_POST['user'])) {
-		$token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10));
-		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
+		$token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
+		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
 		$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
 		if (!empty($email) and isset($_POST['sectoken']) and isset($_SESSION['sectoken']) and ($_POST['sectoken']==$_SESSION['sectoken']) ) {
 			$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php').'?user='.urlencode($_POST['user']).'&token='.$token;
diff --git a/core/lostpassword/resetpassword.php b/core/lostpassword/resetpassword.php
index 1c78d72..43d9cf6 100644
--- a/core/lostpassword/resetpassword.php
+++ b/core/lostpassword/resetpassword.php
@@ -10,7 +10,7 @@ $RUNTIME_NOAPPS = TRUE; //no apps
 require_once('../../lib/base.php');
 
 // Someone wants to reset their password:
-if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) {
+if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) {
 	if (isset($_POST['password'])) {
 		if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
 			OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword');

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git