[ticket/security/276] Centralise call for token expiration

SECURITY-276

phpBB/includes/acp/acp_inactive.php

@@ -242,7 +242,7 @@ class acp_inactive
 						$sql = 'UPDATE ' . USERS_TABLE . '
 							SET user_reminded = user_reminded + 1,
 								user_reminded_time = ' . time() . ',
-								user_actkey_expiration = ' . (int) strtotime('+1 day') . '
+								user_actkey_expiration = ' . (int) $user::get_token_expiration() . '
 							WHERE ' . $db->sql_in_set('user_id', $user_ids);
 						$db->sql_query($sql);
 

phpBB/includes/acp/acp_users.php

@@ -388,12 +388,12 @@ class acp_users
 								// Always update actkey even if same and also update actkey expiration to 24 hours from now
 								$sql_ary = [
 									'user_actkey'				=> $user_actkey,
-									'user_actkey_expiration'	=> strtotime('+1 day'),
+									'user_actkey_expiration'	=> $user::get_token_expiration(),
 								];
 
 								$sql = 'UPDATE ' . USERS_TABLE . '
 									SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
-									WHERE user_id = ' . $user_id;
+									WHERE user_id = ' . (int) $user_id;
 								$db->sql_query($sql);
 
 								// Start sending email

phpBB/includes/ucp/ucp_profile.php

@@ -198,7 +198,7 @@ class ucp_profile
 								$notifications_manager->add_notifications('notification.type.admin_activate_user', array(
 									'user_id'					=> $user->data['user_id'],
 									'user_actkey'				=> $user_actkey,
-									'user_actkey_expiration'	=> strtotime('+1 day'), // 24 hours until activation can be resent
+									'user_actkey_expiration'	=> $user::get_token_expiration(),
 									'user_regdate'				=> time(), // Notification time
 								));
 							}

phpBB/includes/ucp/ucp_register.php

@@ -389,7 +389,7 @@ class ucp_register
 					'user_lang'					=> $data['lang'],
 					'user_type'					=> $user_type,
 					'user_actkey'				=> $user_actkey,
-					'user_actkey_expiration'	=> strtotime('+1 day'), // 24 hours until activation can be resent
+					'user_actkey_expiration'	=> $user::get_token_expiration(),
 					'user_ip'					=> $user->ip,
 					'user_regdate'				=> time(),
 					'user_inactive_reason'		=> $user_inactive_reason,

phpBB/includes/ucp/ucp_resend.php

@@ -179,7 +179,7 @@ class ucp_resend
 		global $db, $user;
 
 		$sql_ary = [
-			'user_actkey_expiration'	=> strtotime('+1 day'),
+			'user_actkey_expiration'	=> $user::get_token_expiration(),
 		];
 
 		$sql = 'UPDATE ' . USERS_TABLE . '

phpBB/phpbb/console/command/user/add.php

@@ -337,12 +337,12 @@ class add extends command
 
 			$sql_ary = [
 				'user_actkey'				=> $user_actkey,
-				'user_actkey_expiration'	=> strtotime('+1 day'),
+				'user_actkey_expiration'	=> \phpbb\user::get_token_expiration(),
 			];
 
 			$sql = 'UPDATE ' . USERS_TABLE . '
 				SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . '
-				WHERE user_id = ' . $user_id;
+				WHERE user_id = ' . (int) $user_id;
 			$this->db->sql_query($sql);
 		}
 

phpBB/phpbb/ucp/controller/reset_password.php

@@ -242,7 +242,7 @@ class reset_password
 
 				$sql_ary = [
 					'reset_token'				=> $reset_token,
-					'reset_token_expiration'	=> strtotime('+1 day'),
+					'reset_token_expiration'	=> $this->user::get_token_expiration(),
 				];
 
 				$sql = 'UPDATE ' . $this->users_table . '

phpBB/phpbb/user.php

@@ -57,7 +57,7 @@ class user extends \phpbb\session
 	* @param \phpbb\language\language	$lang			phpBB's Language loader
 	* @param string						$datetime_class	Class name of datetime class
 	*/
-	function __construct(\phpbb\language\language $lang, $datetime_class)
+	public function __construct(\phpbb\language\language $lang, $datetime_class)
 	{
 		global $phpbb_root_path;
 
@@ -78,6 +78,16 @@ class user extends \phpbb\session
 		return $this->is_setup_flag;
 	}
 
+	/**
+	 * Get expiration time for user tokens, e.g. activation or reset password tokens
+	 *
+	 * @return int Expiration for user tokens
+	 */
+	public static function get_token_expiration(): int
+	{
+		return strtotime('+1 day') ?: 0;
+	}
+
 	/**
 	 * Magic getter for BC compatibility
 	 *