upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-03-12 21:52:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 39

Merge pull request #36653 from nextcloud/bugfix/noid/more-defensive-old-token-handling

Browse source 
fix(authentication): Handle null or empty string password hash
This commit is contained in:
Joas Schilling 2023-02-20 11:15:37 +01:00 committed by GitHub
commit c550acae62
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/private/Authentication/Token/PublicKeyTokenProvider.php
View file

@ -113,7 +113,7 @@ class PublicKeyTokenProvider implements IProvider {
// We need to check against one old token to see if there is a password
// hash that we can reuse for detecting outdated passwords
$randomOldToken = $this->mapper->getFirstTokenForUser($uid);
$oldTokenMatches = $randomOldToken && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
$oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);