makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-10 13:28:55 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ticket/security/276] Centralise call for token expiration

Browse source 
SECURITY-276
This commit is contained in:
Marc Alexander 2024-05-09 11:51:59 +02:00
parent 7c661746cf
commit 1c1c981b17
No known key found for this signature in database
GPG key ID: 50E0D2423696F995
8 changed files with 20 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
phpBB/includes/acp/acp_inactive.php
View file

@ -242,7 +242,7 @@ class acp_inactive
$sql = 'UPDATE ' . USERS_TABLE . ' $sql = 'UPDATE ' . USERS_TABLE . '
SET user_reminded = user_reminded + 1, SET user_reminded = user_reminded + 1,
user_reminded_time = ' . time() . ', user_reminded_time = ' . time() . ',
user_actkey_expiration = ' . (int) strtotime('+1 day') . ' user_actkey_expiration = ' . (int) $user::get_token_expiration() . '
WHERE ' . $db->sql_in_set('user_id', $user_ids); WHERE ' . $db->sql_in_set('user_id', $user_ids);
$db->sql_query($sql); $db->sql_query($sql);

4
phpBB/includes/acp/acp_users.php
View file

@ -388,12 +388,12 @@ class acp_users
// Always update actkey even if same and also update actkey expiration to 24 hours from now // Always update actkey even if same and also update actkey expiration to 24 hours from now
$sql_ary = [ $sql_ary = [
'user_actkey' => $user_actkey, 'user_actkey' => $user_actkey,
'user_actkey_expiration' => strtotime('+1 day'), 'user_actkey_expiration' => $user::get_token_expiration(),
]; ];
$sql = 'UPDATE ' . USERS_TABLE . ' $sql = 'UPDATE ' . USERS_TABLE . '
SET ' . $db->sql_build_array('UPDATE', $sql_ary) . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . '
WHERE user_id = ' . $user_id; WHERE user_id = ' . (int) $user_id;
$db->sql_query($sql); $db->sql_query($sql);
// Start sending email // Start sending email

2
phpBB/includes/ucp/ucp_profile.php
View file

@ -198,7 +198,7 @@ class ucp_profile
$notifications_manager->add_notifications('notification.type.admin_activate_user', array( $notifications_manager->add_notifications('notification.type.admin_activate_user', array(
'user_id' => $user->data['user_id'], 'user_id' => $user->data['user_id'],
'user_actkey' => $user_actkey, 'user_actkey' => $user_actkey,
'user_actkey_expiration' => strtotime('+1 day'), // 24 hours until activation can be resent 'user_actkey_expiration' => $user::get_token_expiration(),
'user_regdate' => time(), // Notification time 'user_regdate' => time(), // Notification time
)); ));
} }

2
phpBB/includes/ucp/ucp_register.php
View file

@ -389,7 +389,7 @@ class ucp_register
'user_lang' => $data['lang'], 'user_lang' => $data['lang'],
'user_type' => $user_type, 'user_type' => $user_type,
'user_actkey' => $user_actkey, 'user_actkey' => $user_actkey,
'user_actkey_expiration' => strtotime('+1 day'), // 24 hours until activation can be resent 'user_actkey_expiration' => $user::get_token_expiration(),
'user_ip' => $user->ip, 'user_ip' => $user->ip,
'user_regdate' => time(), 'user_regdate' => time(),
'user_inactive_reason' => $user_inactive_reason, 'user_inactive_reason' => $user_inactive_reason,

2
phpBB/includes/ucp/ucp_resend.php
View file

@ -179,7 +179,7 @@ class ucp_resend
global $db, $user; global $db, $user;
$sql_ary = [ $sql_ary = [
'user_actkey_expiration' => strtotime('+1 day'), 'user_actkey_expiration' => $user::get_token_expiration(),
]; ];
$sql = 'UPDATE ' . USERS_TABLE . ' $sql = 'UPDATE ' . USERS_TABLE . '

4
phpBB/phpbb/console/command/user/add.php
View file

@ -337,12 +337,12 @@ class add extends command
$sql_ary = [ $sql_ary = [
'user_actkey' => $user_actkey, 'user_actkey' => $user_actkey,
'user_actkey_expiration' => strtotime('+1 day'), 'user_actkey_expiration' => \phpbb\user::get_token_expiration(),
]; ];
$sql = 'UPDATE ' . USERS_TABLE . ' $sql = 'UPDATE ' . USERS_TABLE . '
SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . ' SET ' . $this->db->sql_build_array('UPDATE', $sql_ary) . '
WHERE user_id = ' . $user_id; WHERE user_id = ' . (int) $user_id;
$this->db->sql_query($sql); $this->db->sql_query($sql);
} }

2
phpBB/phpbb/ucp/controller/reset_password.php
View file

@ -242,7 +242,7 @@ class reset_password
$sql_ary = [ $sql_ary = [
'reset_token' => $reset_token, 'reset_token' => $reset_token,
'reset_token_expiration' => strtotime('+1 day'), 'reset_token_expiration' => $this->user::get_token_expiration(),
]; ];
$sql = 'UPDATE ' . $this->users_table . ' $sql = 'UPDATE ' . $this->users_table . '

12
phpBB/phpbb/user.php
View file

@ -57,7 +57,7 @@ class user extends \phpbb\session
* @param \phpbb\language\language $lang phpBB's Language loader * @param \phpbb\language\language $lang phpBB's Language loader
* @param string $datetime_class Class name of datetime class * @param string $datetime_class Class name of datetime class
*/ */
function __construct(\phpbb\language\language $lang, $datetime_class) public function __construct(\phpbb\language\language $lang, $datetime_class)
{ {
global $phpbb_root_path; global $phpbb_root_path;
@ -78,6 +78,16 @@ class user extends \phpbb\session
return $this->is_setup_flag; return $this->is_setup_flag;
} }
/**
* Get expiration time for user tokens, e.g. activation or reset password tokens
*
* @return int Expiration for user tokens
*/
public static function get_token_expiration(): int
{
return strtotime('+1 day') ?: 0;
}
/** /**
* Magic getter for BC compatibility * Magic getter for BC compatibility
* *