summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
authorGreg Roach <greg@subaqua.co.uk>2021-09-09 09:05:17 +0100
committerGreg Roach <greg@subaqua.co.uk>2021-09-09 09:05:17 +0100
commit3a8376426768db455e2cff3653e0e84b23aa76a8 (patch)
treee3b9c2dc25ddd7d82df727d90d2765896ee3cf6a /app
parentceab9748a7c11244030d33fbda589872b29688e2 (diff)
downloadwebtrees-3a8376426768db455e2cff3653e0e84b23aa76a8.tar.gz
webtrees-3a8376426768db455e2cff3653e0e84b23aa76a8.tar.bz2
webtrees-3a8376426768db455e2cff3653e0e84b23aa76a8.zip
Do not allow the reset-password feature to be used for user-enumeration
Diffstat (limited to 'app')
-rw-r--r--app/Http/RequestHandlers/PasswordRequestAction.php15
1 files changed, 9 insertions, 6 deletions
diff --git a/app/Http/RequestHandlers/PasswordRequestAction.php b/app/Http/RequestHandlers/PasswordRequestAction.php
index 0cbb7df684..7ade888b82 100644
--- a/app/Http/RequestHandlers/PasswordRequestAction.php
+++ b/app/Http/RequestHandlers/PasswordRequestAction.php
@@ -35,6 +35,7 @@ use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
use function e;
+use function random_int;
use function redirect;
use function route;
use function view;
@@ -97,15 +98,17 @@ class PasswordRequestAction implements RequestHandlerInterface, StatusCodeInterf
);
Log::addAuthenticationLog('Password request for user: ' . $user->userName());
-
- $message1 = I18N::translate('A password reset link has been sent to “%s”.', e($email));
- $message2 = I18N::translate('This link is valid for one hour.');
- FlashMessages::addMessage($message1 . '<br>' . $message2, 'success');
} else {
- $message = I18N::translate('There is no user account with the email “%s”.', e($email));
- FlashMessages::addMessage($message, 'danger');
+ // Email takes a few seconds to send. An instant response would allow
+ // an attacker to use the speed of the response to infer whether an account exists.
+ usleep(random_int(500000, 2000000));
}
+ // For security, send a success message even when we fail.
+ $message1 = I18N::translate('A password reset link has been sent to “%s”.', e($email));
+ $message2 = I18N::translate('This link is valid for one hour.');
+ FlashMessages::addMessage($message1 . '<br>' . $message2, 'success');
+
return redirect(route(LoginPage::class, ['tree' => $tree instanceof Tree ? $tree->name() : null]));
}
}