Skip to content
Snippets Groups Projects
Commit 082f5e7d authored by Jitesh Doshi's avatar Jitesh Doshi
Browse files

Improved hash validation and better UX.

parent 3e0cbf3f
No related branches found
No related tags found
No related merge requests found
......@@ -6,6 +6,8 @@
*/
use Drupal\Core\Form\FormStateInterface;
use Drupal\Component\Utility\Crypt;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
/**
* Default value of the 'prlp_destination' config varible.
......@@ -25,8 +27,15 @@ function prlp_form_user_pass_reset_alter(&$form, FormStateInterface $form_state,
}
function prlp_form_user_pass_reset_submit(&$form, FormStateInterface $form_state) {
$account = $form_state->getBuildInfo()['args'][0];
$account->setPassword($form_state->getValue('pass'));
$account->save();
drupal_set_message(t('Your new password has been saved.'));
$args = $form_state->getBuildInfo()['args'];
list($user, $expiration, $timestamp, $hash) = $args;
// save the new password ONLY if the user and the hash are valid
if ($user !== NULL && $user->isActive() && Crypt::hashEquals($hash, user_pass_rehash($user, $timestamp))) {
$user->setPassword($form_state->getValue('pass'));
$user->save();
drupal_set_message(t('Your new password has been saved.'));
// set this request attribute so that we don't fail on hash check
// in PrlpController::prlpResetPassLogin()
Drupal::request()->getSession()->set('prlp_skip_hash_check', TRUE);
}
}
......@@ -2,6 +2,7 @@
namespace Drupal\prlp\Controller;
use Drupal;
use Drupal\Component\Utility\Crypt;
use Drupal\Core\Form\FormState;
use Drupal\user\Controller\UserController;
......@@ -36,8 +37,14 @@ class PrlpController extends UserController {
/** @var \Drupal\user\UserInterface $user */
$user = $this->userStorage->load($uid);
// Check if the hash is valid, but not if you were told by prlp to
// skip checking it.
$check_hash = !Drupal::request()->getSession()->get('prlp_skip_hash_check');
// remove this session setting immediately to avoid security holes
!Drupal::request()->getSession()->remove('prlp_skip_hash_check');
$invalid_hash = $check_hash && !Crypt::hashEquals($hash, user_pass_rehash($user, $timestamp));
// Verify that the user exists and is active.
if ($user === NULL || !$user->isActive()) {
if ($user === NULL || !$user->isActive() || $invalid_hash) {
// Blocked or invalid user ID, so deny access. The parameters will be in
// the watchdog's URL for the administrator to check.
throw new AccessDeniedHttpException();
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment