Actions
Bug #88410
closedUnreachable code in FrontendLoginController (felogin)
Status:
Closed
Priority:
Should have
Assignee:
-
Category:
felogin
Target version:
-
Start date:
2019-05-21
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
medium
Is Regression:
Sprint Focus:
Description
In the code below, the "forgot_hash" from the HTTP POST data is compared against the hash saved in the database - but the second part of that hash gets md5-encoded before comparing it. Thus the check always fails and the user gets a message saying he or she should retry the password reset.
EXT:felogin/Classes/Controller/FrontendLoginController.php (ll. 339-346)
if (!$compareHash || !$compareHash[1] || $compareHash[0] < time() || $hash[0] != $compareHash[0] || md5($hash[1]) != $compareHash[1]) { $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText( 'change_password_notvalid_message', $this->conf['changePasswordNotValidMessage_stdWrap.'] ); $subpartArray['###CHANGEPASSWORD_FORM###'] = ''; } else { // All is fine, continue with new password => THIS WILL NEVER HAPPEN
This ,might relate to the complex of the forgot password link being double-encoded which was recently fixed: https://forge.typo3.org/issues/87153
Actions