upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-28 04:32:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 25

fix(authentication): Only verify each hash once

Browse source 
Signed-off-by: Joas Schilling <coding@schilljs.com>
This commit is contained in:
Joas Schilling 2023-01-09 14:53:12 +01:00
parent 3892c3edc9
commit 55d8aec759
No known key found for this signature in database
GPG key ID: 74434EFE0D2E2205
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/private/Authentication/Token/PublicKeyTokenProvider.php
View file

@ -448,9 +448,11 @@ class PublicKeyTokenProvider implements IProvider {
// Update the password for all tokens
$tokens = $this->mapper->getTokenByUser($uid);
$passwordHash = $this->hashPassword($password);
$verifiedHashes = [];
foreach ($tokens as $t) {
$publicKey = $t->getPublicKey();
if ($t->getPasswordHash() === null || $this->hasher->verify(sha1($password) . $password, $t->getPasswordHash())) {
if ($t->getPasswordHash() === null || isset($verifiedHashes[$t->getPasswordHash()]) || $this->hasher->verify(sha1($password) . $password, $t->getPasswordHash())) {
$verifiedHashes[$t->getPasswordHash() ?: ''] = true;
$publicKey = $t->getPublicKey();
$t->setPassword($this->encryptPassword($password, $publicKey));
$t->setPasswordHash($passwordHash);
$t->setPasswordInvalid(false);