sascha
/
nextcloud-server
mirror of https://github.com/nextcloud/server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #36653 from nextcloud/bugfix/noid/more-defensive-old-token-handling 

fix(authentication): Handle null or empty string password hash
pull/34562/head
Joas Schilling 2023-02-20 11:15:37 +07:00 committed by GitHub
parent bba3a1ccf0 6417ea0265
commit c550acae62
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/private/Authentication/Token/PublicKeyTokenProvider.php
Unescape Escape View File

@ -113,7 +113,7 @@ class PublicKeyTokenProvider implements IProvider {
// We need to check against one old token to see if there is a password
// hash that we can reuse for detecting outdated passwords
$randomOldToken = $this->mapper->getFirstTokenForUser($uid);
$oldTokenMatches = $randomOldToken && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
$oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());
$dbToken = $this->newToken($token, $uid, $loginName, $password, $name, $type, $remember);