Merge pull request #2138 from barrybingo/development

TheSerapher · TheSerapher · commit 8f36c18dac88 · 2014-04-23T19:01:40.000+02:00
[Fix] Correctly hash new password
diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php
@@ -861,7 +861,7 @@ public function resetPassword($token, $new1, $new2) {
         $this->setErrorMessage( 'New password is too short, please use more than 8 chars' );
         return false;
       }
-      $new_hash = $this->getHash($new1);
+      $new_hash = $this->getHash($new1, HASH_VERSION, bin2hex(openssl_random_pseudo_bytes(32)));
       $stmt = $this->mysqli->prepare("UPDATE $this->table SET pass = ? WHERE id = ?");
       if ($this->checkStmt($stmt) && $stmt->bind_param('si', $new_hash, $aToken['account_id']) && $stmt->execute() && $stmt->affected_rows === 1) {
         if ($this->token->deleteToken($aToken['token'])) {

Original file line number	Diff line number	Diff line change
`@@ -861,7 +861,7 @@ public function resetPassword($token, $new1, $new2) {`
`861`	`861`	`$this->setErrorMessage( 'New password is too short, please use more than 8 chars' );`
`862`	`862`	`return false;`
`863`	`863`	`}`
`864`		`- $new_hash = $this->getHash($new1);`
	`864`	`+ $new_hash = $this->getHash($new1, HASH_VERSION, bin2hex(openssl_random_pseudo_bytes(32)));`
`865`	`865`	`$stmt = $this->mysqli->prepare("UPDATE $this->table SET pass = ? WHERE id = ?");`
`866`	`866`	`if ($this->checkStmt($stmt) && $stmt->bind_param('si', $new_hash, $aToken['account_id']) && $stmt->execute() && $stmt->affected_rows === 1) {`
`867`	`867`	`if ($this->token->deleteToken($aToken['token'])) {`