Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F15374402
D10206.id24563.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
2 KB
Referenced Files
None
Subscribers
None
D10206.id24563.diff
View Options
diff --git a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
--- a/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
+++ b/src/applications/auth/controller/PhabricatorAuthOneTimeLoginController.php
@@ -98,8 +98,17 @@
// to go through a second round of email verification.
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
- // Nuke the token so that this URI is one-time only.
- $token->delete();
+ // Nuke the token and all other outstanding password reset tokens.
+ // There is no particular security benefit to destroying them all, but
+ // it should reduce HackerOne reports of nebulous harm.
+
+ PhabricatorAuthTemporaryToken::revokeTokens(
+ $target_user,
+ array($target_user->getPHID()),
+ array(
+ PhabricatorAuthSessionEngine::ONETIME_TEMPORARY_TOKEN_TYPE,
+ PhabricatorAuthSessionEngine::PASSWORD_TEMPORARY_TOKEN_TYPE,
+ ));
if ($target_email) {
id(new PhabricatorUserEditor())
diff --git a/src/applications/auth/controller/PhabricatorEmailLoginController.php b/src/applications/auth/controller/PhabricatorEmailLoginController.php
--- a/src/applications/auth/controller/PhabricatorEmailLoginController.php
+++ b/src/applications/auth/controller/PhabricatorEmailLoginController.php
@@ -58,6 +58,26 @@
$e_email = pht('Invalid');
}
+ // If this address is unverified, only send a reset link to it if
+ // the account has no verified addresses. This prevents an opportunistic
+ // attacker from compromising an account if a user adds an email
+ // address but mistypes it and doesn't notice.
+
+ // (For a newly created account, all the addresses may be unverified,
+ // which is why we'll send to an unverified address in that case.)
+
+ if ($target_email && !$target_email->getIsVerified()) {
+ $verified_addresses = id(new PhabricatorUserEmail())->loadAllWhere(
+ 'userPHID = %s AND isVerified = 1',
+ $target_email->getUserPHID());
+ if ($verified_addresses) {
+ $errors[] = pht(
+ 'That email addess is not verified. You can only send '.
+ 'password reset links to a verified address.');
+ $e_email = pht('Unverified');
+ }
+ }
+
if (!$errors) {
$engine = new PhabricatorAuthSessionEngine();
$uri = $engine->getOneTimeLoginURI(
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Thu, Mar 13, 6:50 PM (2 w, 2 d ago)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
7628976
Default Alt Text
D10206.id24563.diff (2 KB)
Attached To
Mode
D10206: Don't send reset links to unverified addresses on accounts with verified addresses
Attached
Detach File
Event Timeline
Log In to Comment