[Pkg-owncloud-commits] [owncloud] 35/67: Doublehash the token to prevent timing attacks

David Prévot taffit at alioth.debian.org
Fri Nov 8 23:10:38 UTC 2013 

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to annotated tag v4.5.1
in repository owncloud.

commit ecef3b6b98ce39b23c8d1a82c19cb134a5b9b6b3
Author: Lukas Reschke <lukas at statuscode.ch>
Date:   Sun Oct 14 12:12:55 2012 +0200

    Doublehash the token to prevent timing attacks
---
 core/lostpassword/index.php         |    4 ++--
 core/lostpassword/resetpassword.php |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php
index 4cd8b90..906208d 100644
--- a/core/lostpassword/index.php
+++ b/core/lostpassword/index.php
@@ -13,8 +13,8 @@ require_once '../../lib/base.php';
 // Someone lost their password:
 if (isset($_POST['user'])) {
 	if (OC_User::userExists($_POST['user'])) {
-		$token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10));
-		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
+		$token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
+		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
 		$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
 		if (!empty($email)) {
 			$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php', array('user' => $_POST['user'], 'token' => $token));
diff --git a/core/lostpassword/resetpassword.php b/core/lostpassword/resetpassword.php
index 28a0063..896c8da 100644
--- a/core/lostpassword/resetpassword.php
+++ b/core/lostpassword/resetpassword.php
@@ -10,7 +10,7 @@ $RUNTIME_NOAPPS = TRUE; //no apps
 require_once '../../lib/base.php';
 
 // Someone wants to reset their password:
-if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) {
+if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) {
 	if (isset($_POST['password'])) {
 		if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
 			OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword');

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git

More information about the Pkg-owncloud-commits mailing list