Bug #88410
closedUnreachable code in FrontendLoginController (felogin)
0%
Description
In the code below, the "forgot_hash" from the HTTP POST data is compared against the hash saved in the database - but the second part of that hash gets md5-encoded before comparing it. Thus the check always fails and the user gets a message saying he or she should retry the password reset.
EXT:felogin/Classes/Controller/FrontendLoginController.php (ll. 339-346)
if (!$compareHash || !$compareHash[1] || $compareHash[0] < time() || $hash[0] != $compareHash[0] || md5($hash[1]) != $compareHash[1]) { $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText( 'change_password_notvalid_message', $this->conf['changePasswordNotValidMessage_stdWrap.'] ); $subpartArray['###CHANGEPASSWORD_FORM###'] = ''; } else { // All is fine, continue with new password => THIS WILL NEVER HAPPEN
This ,might relate to the complex of the forgot password link being double-encoded which was recently fixed: https://forge.typo3.org/issues/87153
Updated by Christian Baur almost 5 years ago
Meanwhile I found the time to investigate a little bit more in this issue and especially setup a minimal TYPO3 instance with ddev (actually I wanted to provide a patch). The bug does not occur in a fresh and clean installation.
In other words: I was wrong, this is not a bug in the TYPO3 core!
Lessons learned:- Always follow the Contribution Guidelines (they're awesome, by the way)
- double check if an error is reproducible
- ...a lot more, just by reading the guidelines
This issue can be closed. I really hope that nobody else wasted their time on this yet. Apologies!