Merge pull request #12328 from nanolikeyou/master

fix several security vulnerabilities

src/main/java/org/b3log/solo/processor/LoginProcessor.java

@@ -351,12 +351,23 @@ public class LoginProcessor {
             final JSONObject requestJSONObject;
 
             requestJSONObject = Requests.parseRequestJSONObject(request, context.getResponse());
-            final String userEmail = requestJSONObject.getString(User.USER_EMAIL);
-            final String newPwd = requestJSONObject.getString("newPwd");
-            final JSONObject user = userQueryService.getUserByEmail(userEmail);
-
-            user.put(User.USER_PASSWORD, newPwd);
-            userMgmtService.updateUser(user);
+			final String token = requestJSONObject.getString("token");
+			final String newPwd = requestJSONObject.getString("newPwd");
+			final JSONObject passwordResetOption = optionQueryService.getOptionById(token);
+
+			if (null == passwordResetOption) {
+				LOGGER.log(Level.WARN, "Not found user by that token:[{0}]", token);
+				jsonObject.put("succeed", true);
+				jsonObject.put("to", Latkes.getServePath() + "/login?from=reset");
+				jsonObject.put(Keys.MSG, langPropsService.get("resetPwdFailedMsg"));
+				return;
+			}
+			final String userEmail = passwordResetOption.getString(Option.OPTION_VALUE);
+			final JSONObject user = userQueryService.getUserByEmail(userEmail);
+
+			user.put(User.USER_PASSWORD, newPwd);
+			userMgmtService.updateUser(user);
+			// TODO delete expired token
             LOGGER.log(Level.DEBUG, "[{0}]'s password updated successfully.", userEmail);
 
             jsonObject.put("succeed", true);
@@ -392,19 +403,17 @@ public class LoginProcessor {
         final String token = new Randoms().nextStringWithMD5();
         final String adminEmail = preference.getString(Option.ID_C_ADMIN_EMAIL);
         final String mailSubject = langPropsService.get("resetPwdMailSubject");
-        final String mailBody = langPropsService.get("resetPwdMailBody") + " " + Latkes.getServePath() + "/forgot?token=" + token
-                + "&login=" + userEmail;
+		final String mailBody = langPropsService.get("resetPwdMailBody") + " " + Latkes.getServePath()
+				+ "/forgot?token=" + token;
         final MailService.Message message = new MailService.Message();
 
         final JSONObject option = new JSONObject();
 
-        option.put(Keys.OBJECT_ID, token);
-        option.put(Option.OPTION_CATEGORY, "passwordReset");
-        option.put(Option.OPTION_VALUE, System.currentTimeMillis());
-
-        final Transaction transaction = optionRepository.beginTransaction();
-
-        optionRepository.add(option);
+		option.put(Keys.OBJECT_ID, token);
+		option.put(Option.OPTION_CATEGORY, "passwordReset");
+		option.put(Option.OPTION_VALUE, userEmail);
+		final Transaction transaction = optionRepository.beginTransaction();
+		optionRepository.add(option);
         transaction.commit();
 
         message.setFrom(adminEmail);
@@ -454,7 +463,6 @@ public class LoginProcessor {
         dataModel.put(Option.ID_C_BLOG_TITLE, preference.getString(Option.ID_C_BLOG_TITLE));
 
         final String token = request.getParameter("token");
-        final String email = request.getParameter("login");
         final JSONObject tokenObj = optionQueryService.getOptionById(token);
 
         if (tokenObj == null) {
@@ -462,7 +470,7 @@ public class LoginProcessor {
         } else {
             // TODO verify the expired time in the tokenObj
             dataModel.put("inputType", "password");
-            dataModel.put("userEmailHidden", email);
+			dataModel.put("tokenHidden", token);
         }
 
         final String from = request.getParameter("from");

src/main/resources/lang_en_US.properties

@@ -298,6 +298,7 @@ forgotLabel=forgot password
 sendLabel=Send
 userEmailNotFoundMsg=Sorry, email not found.
 resetPwdSuccessMsg=Password reset successfully.
+resetPwdFailedMsg=Can not find valid email by that token.
 resetPwdSuccessSend=Check your e-mail for the confirmation link.
 resetPwdMailSubject=[Solo]Password Reset
 resetPwdMailBody=To reset your password please open the link below. If this is a mistake just ignore this email - your password will not be changed.<p>

src/main/resources/lang_zh_CN.properties

@@ -298,6 +298,7 @@ forgotLabel=\u5FD8\u8BB0\u5BC6\u7801
 sendLabel=\u53D1\u9001
 userEmailNotFoundMsg=\u90AE\u7BB1\u5730\u5740\u6709\u8BEF\uFF0C\u8BF7\u91CD\u8BD5
 resetPwdSuccessMsg=\u5BC6\u7801\u4FEE\u6539\u6210\u529F
+resetPwdFailedMsg=\u4e0d\u80fd\u6839\u636e\u6b64token\u627e\u5230\u6709\u6548\u90ae\u7bb1\u4fe1\u606f
 resetPwdSuccessSend=\u66F4\u6539\u5BC6\u7801\u7684\u786E\u8BA4\u94FE\u63A5\u5DF2\u53D1\u9001\u81F3\u6307\u5B9A\u90AE\u7BB1
 resetPwdMailSubject=[Solo]\u91CD\u7F6E\u5BC6\u7801
 resetPwdMailBody=\u60F3\u66F4\u6539\u5BC6\u7801\uFF0C\u8BF7\u6253\u5F00\u4E0B\u9762\u94FE\u63A5\uFF1B\u82E5\u4E0D\u60F3\u4FEE\u6539\uFF0C\u53EA\u8981\u5FFD\u7565\u6B64\u6B21\u90AE\u4EF6\uFF0C\u7CFB\u7EDF\u5E76\u4E0D\u4F1A\u81EA\u52A8\u4FEE\u6539\u60A8\u7684\u5BC6\u7801\u3002<p>

src/main/webapp/reset-pwd.ftl

@@ -18,8 +18,8 @@ ${forgotLabel}
         <label for="emailOrPassword">
         ${userPasswordLabel}
         </label>
-        <input id="emailOrPassword"/>
-        <input type="hidden" id="userEmailHidden" value="${userEmailHidden}" />
+        <input type="password" id="emailOrPassword"/>
+		<input type="hidden" id="token" value="${tokenHidden}" />
         <button id="sendBtn" onclick='reset();'>${ok}</button>
         <span id="tip"></span>
     </div>
@@ -52,7 +52,7 @@ ${forgotLabel}
         }
         var requestJSONObject = {
             "newPwd": $("#emailOrPassword").val(),
-            "userEmail": $("#userEmailHidden").val()
+            "token": $("#token").val()
         };
 
         $("#tip").html("<img src='${staticServePath}/images/loading.gif'/> loading...");

src/test/resources/reset-pwd.ftl

@@ -44,8 +44,8 @@
                             <label for="emailOrPassword">
                                 ${userPasswordLabel}
                             </label>
-                            <input id="emailOrPassword"/>
-                            <input type="hidden" id="userEmailHidden" value="${userEmailHidden}" />
+                            <input type="password" id="emailOrPassword"/>
+                            <input type="hidden" id="token" value="${tokenHidden}" />
                             <button id="sendBtn" onclick='reset();'>${ok}</button>
                             <span id="tip"></span>
                         </div>
@@ -92,7 +92,7 @@
                 }
                 var requestJSONObject = {
                     "newPwd": $("#emailOrPassword").val(),
-                    "userEmail": $("#userEmailHidden").val()
+                    "token": $("#token").val()
                 };
 
                 $("#tip").html("<img src='${staticServePath}/images/loading.gif'/> loading...");