diff options
| author | Greg Roach <greg@subaqua.co.uk> | 2021-09-09 09:05:17 +0100 |
|---|---|---|
| committer | Greg Roach <greg@subaqua.co.uk> | 2021-09-09 09:05:17 +0100 |
| commit | 3a8376426768db455e2cff3653e0e84b23aa76a8 (patch) | |
| tree | e3b9c2dc25ddd7d82df727d90d2765896ee3cf6a /app | |
| parent | ceab9748a7c11244030d33fbda589872b29688e2 (diff) | |
| download | webtrees-3a8376426768db455e2cff3653e0e84b23aa76a8.tar.gz webtrees-3a8376426768db455e2cff3653e0e84b23aa76a8.tar.bz2 webtrees-3a8376426768db455e2cff3653e0e84b23aa76a8.zip | |
Do not allow the reset-password feature to be used for user-enumeration
Diffstat (limited to 'app')
| -rw-r--r-- | app/Http/RequestHandlers/PasswordRequestAction.php | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/app/Http/RequestHandlers/PasswordRequestAction.php b/app/Http/RequestHandlers/PasswordRequestAction.php index 0cbb7df684..7ade888b82 100644 --- a/app/Http/RequestHandlers/PasswordRequestAction.php +++ b/app/Http/RequestHandlers/PasswordRequestAction.php @@ -35,6 +35,7 @@ use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\RequestHandlerInterface; use function e; +use function random_int; use function redirect; use function route; use function view; @@ -97,15 +98,17 @@ class PasswordRequestAction implements RequestHandlerInterface, StatusCodeInterf ); Log::addAuthenticationLog('Password request for user: ' . $user->userName()); - - $message1 = I18N::translate('A password reset link has been sent to “%s”.', e($email)); - $message2 = I18N::translate('This link is valid for one hour.'); - FlashMessages::addMessage($message1 . '<br>' . $message2, 'success'); } else { - $message = I18N::translate('There is no user account with the email “%s”.', e($email)); - FlashMessages::addMessage($message, 'danger'); + // Email takes a few seconds to send. An instant response would allow + // an attacker to use the speed of the response to infer whether an account exists. + usleep(random_int(500000, 2000000)); } + // For security, send a success message even when we fail. + $message1 = I18N::translate('A password reset link has been sent to “%s”.', e($email)); + $message2 = I18N::translate('This link is valid for one hour.'); + FlashMessages::addMessage($message1 . '<br>' . $message2, 'success'); + return redirect(route(LoginPage::class, ['tree' => $tree instanceof Tree ? $tree->name() : null])); } } |
