Project

General

Profile

Actions
Copy link

Bug #99902

closed

"Login Form" -> "Display Password Recovery Link" does not respect "User Storage Page"

Added by Timo Poppinga over 1 year ago. Updated 8 months ago.

Status:
Closed
Priority:
Should have
Assignee:
Oliver Hader
Category:
felogin
Target version:
-
Start date:
2023-02-09
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
11
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

I'm sorry, but the problem continues to occur, it could also be a security problem:

In the Action:

    public function recoveryAction(string $userIdentifier = null)
    {
        if (empty($userIdentifier)) {
            return $this->htmlResponse();
        }

        $email = $this->userRepository->findEmailByUsernameOrEmailOnPages(
            $userIdentifier,
            $this->getStorageFolders()
        );

        if ($email) {
            $this->recoveryService->sendRecoveryEmail($email);
        }

        if ($this->exposeNoneExistentUser($email)) {
            $this->addFlashMessage(
                $this->getTranslation('forgot_reset_message_error'),
                '',
                AbstractMessage::ERROR
            );
        } else {
            $this->addFlashMessage($this->getTranslation('forgot_reset_message_emailSent'));
        }

        $this->redirect('login', 'Login', 'felogin');
    }

the "User Storage Page" is respect well.

But then the e-mail is forwarded to TYPO3\CMS\FrontendLogin\Service\RecoveryService->sendRecoveryEmail

    public function sendRecoveryEmail(string $emailAddress): void
    {
        $hash = $this->recoveryConfiguration->getForgotHash();
        // @todo: This repository method call should be moved to PasswordRecoveryController, since its
        // @todo: unexpected that it happens here. Would also drop the dependency to FrontendUserRepository
        // @todo: in this sendRecoveryEmail() method and the class.
        $this->userRepository->updateForgotHashForUserByEmail($emailAddress, GeneralUtility::hmac($hash));
        $userInformation = $this->userRepository->fetchUserInformationByEmail($emailAddress);
        $receiver = new Address($emailAddress, $this->getReceiverName($userInformation));
        $email = $this->prepareMail($receiver, $hash);

        $event = new SendRecoveryEmailEvent($email, $userInformation);
        $this->eventDispatcher->dispatch($event);
        $this->mailer->send($event->getEmail());
    }

and this function just fetches the first record in the fe_users table with this mail

Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Bug #95132: felogin forgot password with email address - the felogin_forgotHash will be set for all fe_users with the same eMail addressClosedTorben Hansen2021-09-07

Actions
Actions
Copy link

Also available in: Atom PDF