From 99cd922b82ca7684967ec3533fcdd5af32c0edc7 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Sun, 14 Oct 2012 12:12:55 +0200
Subject: [PATCH] Doublehash the token to prevent timing attacks

---
 core/lostpassword/index.php         | 4 ++--
 core/lostpassword/resetpassword.php | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/lostpassword/index.php b/core/lostpassword/index.php
index 4cd8b9079f..906208dcbc 100644
--- a/core/lostpassword/index.php
+++ b/core/lostpassword/index.php
@@ -13,8 +13,8 @@ require_once '../../lib/base.php';
 // Someone lost their password:
 if (isset($_POST['user'])) {
 	if (OC_User::userExists($_POST['user'])) {
-		$token = hash("sha256", $_POST['user'].OC_Util::generate_random_bytes(10));
-		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', $token);
+		$token = hash("sha256", OC_Util::generate_random_bytes(30).OC_Config::getValue('passwordsalt', ''));
+		OC_Preferences::setValue($_POST['user'], 'owncloud', 'lostpassword', hash("sha256", $token)); // Hash the token again to prevent timing attacks
 		$email = OC_Preferences::getValue($_POST['user'], 'settings', 'email', '');
 		if (!empty($email)) {
 			$link = OC_Helper::linkToAbsolute('core/lostpassword', 'resetpassword.php', array('user' => $_POST['user'], 'token' => $token));
diff --git a/core/lostpassword/resetpassword.php b/core/lostpassword/resetpassword.php
index 28a0063fc6..896c8da76e 100644
--- a/core/lostpassword/resetpassword.php
+++ b/core/lostpassword/resetpassword.php
@@ -10,7 +10,7 @@ $RUNTIME_NOAPPS = TRUE; //no apps
 require_once '../../lib/base.php';
 
 // Someone wants to reset their password:
-if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === $_GET['token']) {
+if(isset($_GET['token']) && isset($_GET['user']) && OC_Preferences::getValue($_GET['user'], 'owncloud', 'lostpassword') === hash("sha256", $_GET['token'])) {
 	if (isset($_POST['password'])) {
 		if (OC_User::setPassword($_GET['user'], $_POST['password'])) {
 			OC_Preferences::deleteKey($_GET['user'], 'owncloud', 'lostpassword');
-- 
GitLab