[SS-2016-008] Reset Member::Salt on password change

This commit is contained in:
Daniel Hensby 2016-07-15 11:49:02 +01:00 committed by Damian Mooyman
parent 00d1d294ca
commit 08384bb4d6

View File

@ -866,7 +866,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
} else {
$random = rand();
$string = md5($random);
$output = substr($string, 0, 6);
$output = substr($string, 0, 8);
return $output;
}
}
@ -922,6 +922,9 @@ class Member extends DataObject implements TemplateGlobalProvider {
// Note that this only works with cleartext passwords, as we can't rehash
// existing passwords.
if((!$this->ID && $this->Password) || $this->isChanged('Password')) {
//reset salt so that it gets regenerated - this will invalidate any persistant login cookies
// or other information encrypted with this Member's settings (see self::encryptWithUserSettings)
$this->Salt = '';
// Password was changed: encrypt the password according the settings
$encryption_details = Security::encrypt_password(
$this->Password, // this is assumed to be cleartext