Update lostpass.php

author Lynn Stephenson <63118982+lynn-stephenson@users.noreply.github.com>

Sat, 4 Apr 2020 08:10:39 +0000 (08:10 +0000)

committer GitHub <noreply@github.com>

Sat, 4 Apr 2020 08:10:39 +0000 (08:10 +0000)
author Lynn Stephenson <63118982+lynn-stephenson@users.noreply.github.com>
Sat, 4 Apr 2020 08:10:39 +0000 (08:10 +0000)
committer GitHub <noreply@github.com>
Sat, 4 Apr 2020 08:10:39 +0000 (08:10 +0000)
diff --git a/mod/lostpass.php b/mod/lostpass.php

index 8a1a9f36e52fb80042eb82e3d750cdd4266de2c7..211477b0dbd252b12322e2521b7456592194e292 100644 (file)
--- a/mod/lostpass.php
+++ b/mod/lostpass.php
@@ -44,7 +44,7 @@ function lostpass_post(App $a)
         $pwdreset_token = Strings::getRandomHex(32);
  
         $fields = [
-               'pwdreset' => $pwdreset_token,
+               'pwdreset' => hash('sha256', $pwdreset_token),
                 'pwdreset_time' => DateTimeFormat::utcNow()
         ];
         $result = DBA::update('user', $fields, ['uid' => $user['uid']]);
@@ -95,7 +95,7 @@ function lostpass_content(App $a)
         if ($a->argc > 1) {
                 $pwdreset_token = $a->argv[1];
  
-               $user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'pwdreset_time', 'language'], ['pwdreset' => $pwdreset_token]);
+               $user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'pwdreset_time', 'language'], ['pwdreset' => hash('sha256', $pwdreset_token)]);
                 if (!DBA::isResult($user)) {
                         notice(DI::l10n()->t("Request could not be verified. \x28You may have previously submitted it.\x29 Password reset failed."));
author	Lynn Stephenson <63118982+lynn-stephenson@users.noreply.github.com>
	Sat, 4 Apr 2020 08:10:39 +0000 (08:10 +0000)
committer	GitHub <noreply@github.com>
	Sat, 4 Apr 2020 08:10:39 +0000 (08:10 +0000)