tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

[SS-2016-008] Reset Member::Salt on password change

Browse Source
This commit is contained in:
Daniel Hensby 2016-07-15 11:49:02 +01:00 committed by Damian Mooyman
parent 4d9f929ca3
commit 298f61521c
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
security/Member.php
View File

@ -786,8 +786,8 @@ class Member extends DataObject implements TemplateGlobalProvider {
* @return string Returns a random password. * @return string Returns a random password.
*/ */
public static function create_new_password() { public static function create_new_password() {
if(file_exists(Security::get_word_list())) { if(file_exists(Security::config()->word_list)) {
$words = file(Security::get_word_list()); $words = file(Security::config()->word_list);
list($usec, $sec) = explode(' ', microtime()); list($usec, $sec) = explode(' ', microtime());
srand($sec + ((float) $usec * 100000)); srand($sec + ((float) $usec * 100000));
@ -799,7 +799,7 @@ class Member extends DataObject implements TemplateGlobalProvider {
} else { } else {
$random = rand(); $random = rand();
$string = md5($random); $string = md5($random);
$output = substr($string, 0, 6); $output = substr($string, 0, 8);
return $output; return $output;
} }
} }
@ -858,6 +858,9 @@ class Member extends DataObject implements TemplateGlobalProvider {
// Note that this only works with cleartext passwords, as we can't rehash // Note that this only works with cleartext passwords, as we can't rehash
// existing passwords. // existing passwords.
if((!$this->ID && $this->Password) || $this->isChanged('Password')) { if((!$this->ID && $this->Password) || $this->isChanged('Password')) {
//reset salt so that it gets regenerated - this will invalidate any persistant login cookies
// or other information encrypted with this Member's settings (see self::encryptWithUserSettings)
$this->Salt = '';
// Password was changed: encrypt the password according the settings // Password was changed: encrypt the password according the settings
$encryption_details = Security::encrypt_password( $encryption_details = Security::encrypt_password(
$this->Password, // this is assumed to be cleartext $this->Password, // this is assumed to be cleartext