Piwigo Bugtracker

Piwigo bug tracker has moved to Github

This bugtracker is kept to provide history on old issues.


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003050Piwigoauthenticationpublic2014.02.24 10:542014.09.20 13:52
Reporterrvelices 
Assigned Toplg 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.6.1 
Target Version2.7.0RC1Fixed in Version2.7.0RC1 
Summary0003050: User activation_key expiration
Descriptionthe activation_key for users is never deleted/expired. Any old email with the key will allow resetting the password. I suggest
- activation_key have a 24 hour max life spand
- activation_key is automatically deleted when the password is reset ...
TagsNo tags attached.
browserany
Database engine and version
PHP version
Web serverApache 1.3.x
Attached Files

- Relationships
related to 0003141closedplg Unknown column 'activation_key_expire' in 'field list' 

-  Notes
(0007419)
plg (manager)
2014.05.12 13:53

I fully agree, I should have implemented it. My mistake. Tell me if you want me to work on it.
(0007421)
rvelices (developer)
2014.05.12 14:49

I won't have the time immediately. So I assign you ...
(0007475)
effigies (reporter)
2014.06.15 00:56
edited on: 2014.06.15 01:19

Patch to revoke key on reset (apply to password.php). Doing expiration would almost certainly require a new table to track time of key generation.

diff --git a/password.php b/password.php
index abcd502..b22b981 100644
--- a/password.php
+++ b/password.php
@@ -222,6 +222,12 @@ function reset_password()
     array($conf['user_fields']['id'] => $user_id)
     );
 
+ single_update(
+ USER_INFOS_TABLE,
+ array('activation_key' => null),
+ array('user_id' => $user_id)
+ );
+
   $page['infos'][] = l10n('Your password has been reset');
 
   if (isset($_GET['key']))
@@ -270,7 +276,7 @@ if (isset($_GET['key']) and !is_a_guest())
   unset($_GET['key']);
 }
 
-if (isset($_GET['key']))
+if (isset($_GET['key']) && !isset($_POST['submit']))
 {
   $user_id = check_password_reset_key($_GET['key']);
   if (is_numeric($user_id))

(0007480)
plg (manager)
2014.06.16 15:45

Thank you effigies. This is a good first step. I want to add expiration datetime as well (and purge all existing activation_key with a migration script)
(0007483)
rvelices (developer)
2014.06.16 18:05

Imho db modification or purge script is not required. The url for reset could contain in addition to the raw key, the generation date (of course all hmac signed).
(0007484)
effigies (reporter)
2014.06.17 02:15

What about running something like this at key creation:

'CREATE EVENT revoke'.$key.' ON SCHEDULE AT CURRENT_TIMESTAMP + INTERVAL 1 DAY DO UPDATE piwigo_user_infos SET activation_key=NULL WHERE activation_key="'.$key.'";'

You need root to run "SET GLOBAL event_scheduler = ON;", so it may not work for people who don't have root access or a willing admin.
(0007527)
svn (reporter)
2014.07.28 21:27

[Subversion] r29111 by plg on trunk

-----[Subversion commit log]----------------------------------------------------
bug 3050: increase security on reset password algorithm.

* reset key has a 1-hour life
* reset key is automatically deleted once used
* reset key is stored as a hash

Thank you effigies for code suggestions
(0007528)
plg (manager)
2014.07.28 21:37

In addition to requested improvements, now activation_key is stored in the database as a hash (pwg_password_hash).

rvelices, maybe I could have avoided to use the new column user_infos.activation_key_expire but it was a bit complicated (in my opinion) with the hash.
(0007629)
svn (reporter)
2014.09.20 13:52

[Subversion] r29666 by plg on trunk

-----[Subversion commit log]----------------------------------------------------
bug 3141 fixed: forget to change piwigo_structure-mysql.sql in r29111 for feature 3050

- Issue History
Date Modified Username Field Change
2014.02.24 10:54 rvelices New Issue
2014.02.24 10:54 rvelices Status new => assigned
2014.02.24 10:54 rvelices Assigned To => rvelices
2014.02.24 10:54 rvelices browser => any
2014.02.24 10:54 rvelices Web server => Apache 1.3.x
2014.05.12 13:53 plg Note Added: 0007419
2014.05.12 14:49 rvelices Note Added: 0007421
2014.05.12 14:49 rvelices Assigned To rvelices => plg
2014.06.15 00:56 effigies Note Added: 0007475
2014.06.15 01:19 effigies Note Edited: 0007475
2014.06.16 15:45 plg Note Added: 0007480
2014.06.16 18:05 rvelices Note Added: 0007483
2014.06.17 02:15 effigies Note Added: 0007484
2014.07.28 21:27 svn Checkin
2014.07.28 21:27 svn Note Added: 0007527
2014.07.28 21:37 plg Note Added: 0007528
2014.07.28 21:37 plg Status assigned => closed
2014.07.28 21:37 plg Resolution open => fixed
2014.07.28 21:37 plg Fixed in Version => 2.7.0beta3
2014.07.28 21:37 plg Target Version 2.7.0beta1 => 2.7.0beta3
2014.09.20 13:52 svn Checkin
2014.09.20 13:52 svn Note Added: 0007629
2014.09.20 13:53 plg Relationship added related to 0003141


Copyright © 2000 - 2017 MantisBT Team
Contact
Powered by Mantis Bugtracker