mirror of
https://github.com/the-djmaze/snappymail.git
synced 2026-07-10 06:58:27 +03:00
Bugfix: Security issue with "remember me"
When (backup)server is compromised it is possible to decrypt RainLoop 'sign_me' files. Found by further investigating #126
This commit is contained in:
parent
aed4d9e4c2
commit
7020345739
1 changed files with 6 additions and 4 deletions
|
|
@ -293,17 +293,19 @@ trait UserAuth
|
|||
$this->ClearSignMeData($oAccount);
|
||||
|
||||
$uuid = \SnappyMail\UUID::generate();
|
||||
$salt = \sha1(\microtime(true));
|
||||
Utils::SetCookie(self::AUTH_SIGN_ME_TOKEN_KEY,
|
||||
Utils::EncodeKeyValuesQ(array(
|
||||
'e' => $oAccount->Email(),
|
||||
'u' => $uuid
|
||||
'u' => $uuid,
|
||||
's' => $salt
|
||||
)),
|
||||
\time() + 3600 * 24 * 30); // 30 days
|
||||
|
||||
$this->StorageProvider()->Put($oAccount,
|
||||
StorageType::SIGN_ME,
|
||||
$uuid,
|
||||
Utils::EncryptString($oAccount->GetAuthToken(), \sha1(APP_SALT . $uuid))
|
||||
Utils::EncryptString($oAccount->GetAuthToken(), $salt)
|
||||
);
|
||||
}
|
||||
|
||||
|
|
@ -313,7 +315,7 @@ trait UserAuth
|
|||
|
||||
$aTokenData = static::GetSignMeToken();
|
||||
if (!empty($aTokenData)) {
|
||||
if (!empty($aTokenData['e']) && !empty($aTokenData['u']) && \SnappyMail\UUID::isValid($aTokenData['u'])) {
|
||||
if (!empty($aTokenData['e']) && !empty($aTokenData['u']) && !empty($aTokenData['s']) && \SnappyMail\UUID::isValid($aTokenData['u'])) {
|
||||
$sAuthToken = $this->StorageProvider()->Get($aTokenData['e'],
|
||||
StorageType::SIGN_ME,
|
||||
$aTokenData['u']
|
||||
|
|
@ -321,7 +323,7 @@ trait UserAuth
|
|||
if (empty($sAuthToken)) {
|
||||
return null;
|
||||
}
|
||||
$sAuthToken = Utils::DecryptString($sAuthToken, \sha1(APP_SALT . $aTokenData['u']));
|
||||
$sAuthToken = Utils::DecryptString($sAuthToken, $aTokenData['s']);
|
||||
if (!empty($sAuthToken)) {
|
||||
$oAccount = $this->GetAccountFromCustomToken($sAuthToken, false, false, true);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue