Skip to content

Commit 23901ef

Browse files
committed
Merge branch 'release/3.7.6'
2 parents 221e9ed + d23aade commit 23901ef

File tree

3 files changed

+46
-35
lines changed

3 files changed

+46
-35
lines changed

CHANGELOG.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,15 @@
1+
# v3.7.6
2+
## 06/29/2023
3+
4+
1. [](#bugfix)
5+
* Don't save an empty user file on password reset of non-existing user
6+
17
# v3.7.5
28
## 06/14/2023
39

410
1. [](#bugfix)
511
* Sanitized `email` during the "forgot password" process to protect against XSS attacks
6-
* Fixed an account enumeration vulneratiblity in forgot password [#293](https://github.com/getgrav/grav-plugin-login/pull/293)
12+
* Fixed an account enumeration vulnerability in forgot password [#293](https://github.com/getgrav/grav-plugin-login/pull/293)
713

814
# v3.7.4
915
## 05/09/2023

blueprints.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
name: Login
22
slug: login
33
type: plugin
4-
version: 3.7.5
4+
version: 3.7.6
55
testing: false
66
description: Enables user authentication and login screen.
77
icon: sign-in

classes/Controller.php

Lines changed: 38 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -347,61 +347,66 @@ protected function taskForgot()
347347
$config = $this->grav['config'];
348348
$data = $this->post;
349349

350+
/** @var Language $language */
351+
$language = $this->grav['language'];
352+
$messages = $this->grav['messages'];
353+
350354
/** @var UserCollectionInterface $users */
351355
$users = $this->grav['accounts'];
352-
353356
$email = $data['email'] ?? '';
354357

355358
// Sanitize $email
356359
$email = htmlspecialchars(strip_tags($email), ENT_QUOTES, 'UTF-8');
357360

358-
$user = !empty($email) ? $users->find($email, ['email']) : null;
359-
360-
/** @var Language $language */
361-
$language = $this->grav['language'];
362-
$messages = $this->grav['messages'];
361+
// Find user if they exist
362+
$user = $users->find($email, ['email']);
363363

364-
if (!isset($this->grav['Email'])) {
365-
$messages->add($language->translate('PLUGIN_LOGIN.FORGOT_EMAIL_NOT_CONFIGURED'), 'error');
366-
$this->setRedirect($this->login->getRoute('forgot') ?? '/');
364+
if ($user->exists()) {
365+
if (!isset($this->grav['Email'])) {
366+
$messages->add($language->translate('PLUGIN_LOGIN.FORGOT_EMAIL_NOT_CONFIGURED'), 'error');
367+
$this->setRedirect($this->login->getRoute('forgot') ?? '/');
367368

368-
return true;
369-
}
369+
return true;
370+
}
370371

371-
$from = $config->get('plugins.email.from');
372+
$from = $config->get('plugins.email.from');
372373

373-
if (empty($from)) {
374-
$messages->add($language->translate('PLUGIN_LOGIN.FORGOT_EMAIL_NOT_CONFIGURED'), 'error');
375-
$this->setRedirect($this->login->getRoute('forgot') ?? '/');
374+
if (empty($from)) {
375+
$messages->add($language->translate('PLUGIN_LOGIN.FORGOT_EMAIL_NOT_CONFIGURED'), 'error');
376+
$this->setRedirect($this->login->getRoute('forgot') ?? '/');
376377

377-
return true;
378-
}
378+
return true;
379+
}
379380

380-
$userKey = $user->username;
381-
$rateLimiter = $this->login->getRateLimiter('pw_resets');
382-
$rateLimiter->registerRateLimitedAction($userKey);
381+
$userKey = $user->username;
382+
$rateLimiter = $this->login->getRateLimiter('pw_resets');
383+
$rateLimiter->registerRateLimitedAction($userKey);
383384

384-
if ($rateLimiter->isRateLimited($userKey)) {
385-
$messages->add($language->translate(['PLUGIN_LOGIN.FORGOT_CANNOT_RESET_IT_IS_BLOCKED', $email, $rateLimiter->getInterval()]), 'error');
386-
$this->setRedirect($this->login->getRoute('login') ?? '/');
385+
if ($rateLimiter->isRateLimited($userKey)) {
386+
$messages->add($language->translate(['PLUGIN_LOGIN.FORGOT_CANNOT_RESET_IT_IS_BLOCKED', $email, $rateLimiter->getInterval()]), 'error');
387+
$this->setRedirect($this->login->getRoute('login') ?? '/');
387388

388-
return true;
389-
}
389+
return true;
390+
}
390391

391-
$token = md5(uniqid((string)mt_rand(), true));
392-
$expire = time() + 604800; // next week
392+
$token = md5(uniqid((string)mt_rand(), true));
393+
$expire = time() + 604800; // next week
393394

394-
$user->reset = $token . '::' . $expire;
395-
$user->save();
395+
$user->reset = $token . '::' . $expire;
396+
$user->save();
396397

397-
try {
398-
Email::sendResetPasswordEmail($user);
398+
try {
399+
Email::sendResetPasswordEmail($user);
399400

401+
$messages->add($language->translate('PLUGIN_LOGIN.FORGOT_INSTRUCTIONS_SENT_VIA_EMAIL'), 'info');
402+
} catch (\Exception $e) {
403+
$messages->add($language->translate('PLUGIN_LOGIN.FORGOT_FAILED_TO_EMAIL'), 'error');
404+
}
405+
} else {
400406
$messages->add($language->translate('PLUGIN_LOGIN.FORGOT_INSTRUCTIONS_SENT_VIA_EMAIL'), 'info');
401-
} catch (\Exception $e) {
402-
$messages->add($language->translate('PLUGIN_LOGIN.FORGOT_FAILED_TO_EMAIL'), 'error');
403407
}
404408

409+
405410
$this->setRedirect($this->login->getRoute('login') ?? '/');
406411

407412
return true;

0 commit comments

Comments
 (0)