Merge pull request #12328 from nanolikeyou/master

fix several security vulnerabilities

Merge pull request #12328 from nanolikeyou/master
fix several security vulnerabilities
c1b2e062 · D · GitHub · 9eaff268 · d8dbacae · c1b2e062
Commit c1b2e062 authored Aug 08, 2017 by D Committed by GitHub Aug 08, 2017
5 changed files
--- a/src/main/java/org/b3log/solo/processor/LoginProcessor.java
+++ b/src/main/java/org/b3log/solo/processor/LoginProcessor.java
@@ -351,12 +351,23 @@ public class LoginProcessor {
            final JSONObject requestJSONObject;
            requestJSONObject = Requests.parseRequestJSONObject(request, context.getResponse());
-            final String userEmail = requestJSONObject.getString(User.USER_EMAIL);
+			final String token = requestJSONObject.getString("token");
-            final String newPwd = requestJSONObject.getString("newPwd");
+			final String newPwd = requestJSONObject.getString("newPwd");
-            final JSONObject user = userQueryService.getUserByEmail(userEmail);
+			final JSONObject passwordResetOption = optionQueryService.getOptionById(token);
-            user.put(User.USER_PASSWORD, newPwd);
+			if (null == passwordResetOption) {
-            userMgmtService.updateUser(user);
+				LOGGER.log(Level.WARN, "Not found user by that token:[{0}]", token);
+				jsonObject.put("succeed", true);
+				jsonObject.put("to", Latkes.getServePath() + "/login?from=reset");
+				jsonObject.put(Keys.MSG, langPropsService.get("resetPwdFailedMsg"));
+				return;
+			}
+			final String userEmail = passwordResetOption.getString(Option.OPTION_VALUE);
+			final JSONObject user = userQueryService.getUserByEmail(userEmail);
+			user.put(User.USER_PASSWORD, newPwd);
+			userMgmtService.updateUser(user);
+			// TODO delete expired token
            LOGGER.log(Level.DEBUG, "[{0}]'s password updated successfully.", userEmail);
            jsonObject.put("succeed", true);
@@ -392,19 +403,17 @@ public class LoginProcessor {
        final String token = new Randoms().nextStringWithMD5();
        final String adminEmail = preference.getString(Option.ID_C_ADMIN_EMAIL);
        final String mailSubject = langPropsService.get("resetPwdMailSubject");
-        final String mailBody = langPropsService.get("resetPwdMailBody") + " " + Latkes.getServePath() + "/forgot?token=" + token
+		final String mailBody = langPropsService.get("resetPwdMailBody") + " " + Latkes.getServePath()
-                + "&login=" + userEmail;
+				+ "/forgot?token=" + token;
        final MailService.Message message = new MailService.Message();
        final JSONObject option = new JSONObject();
-        option.put(Keys.OBJECT_ID, token);
+		option.put(Keys.OBJECT_ID, token);
-        option.put(Option.OPTION_CATEGORY, "passwordReset");
+		option.put(Option.OPTION_CATEGORY, "passwordReset");
-        option.put(Option.OPTION_VALUE, System.currentTimeMillis());
+		option.put(Option.OPTION_VALUE, userEmail);
+		final Transaction transaction = optionRepository.beginTransaction();
-        final Transaction transaction = optionRepository.beginTransaction();
+		optionRepository.add(option);
-        optionRepository.add(option);
        transaction.commit();
        message.setFrom(adminEmail);
@@ -454,7 +463,6 @@ public class LoginProcessor {
        dataModel.put(Option.ID_C_BLOG_TITLE, preference.getString(Option.ID_C_BLOG_TITLE));
        final String token = request.getParameter("token");
-        final String email = request.getParameter("login");
        final JSONObject tokenObj = optionQueryService.getOptionById(token);
        if (tokenObj == null) {
@@ -462,7 +470,7 @@ public class LoginProcessor {
        } else {
            // TODO verify the expired time in the tokenObj
            dataModel.put("inputType", "password");
-            dataModel.put("userEmailHidden", email);
+			dataModel.put("tokenHidden", token);
        }
        final String from = request.getParameter("from");

--- a/src/main/resources/lang_en_US.properties
+++ b/src/main/resources/lang_en_US.properties
@@ -298,6 +298,7 @@ forgotLabel=forgot password
 sendLabel=Send
 userEmailNotFoundMsg=Sorry, email not found.
 resetPwdSuccessMsg=Password reset successfully.
+resetPwdFailedMsg=Can not find valid email by that token.
 resetPwdSuccessSend=Check your e-mail for the confirmation link.
 resetPwdMailSubject=[Solo]Password Reset
 resetPwdMailBody=To reset your password please open the link below. If this is a mistake just ignore this email - your password will not be changed.<p>

--- a/src/main/resources/lang_zh_CN.properties
+++ b/src/main/resources/lang_zh_CN.properties
@@ -298,6 +298,7 @@ forgotLabel=\u5FD8\u8BB0\u5BC6\u7801
 sendLabel=\u53D1\u9001
 userEmailNotFoundMsg=\u90AE\u7BB1\u5730\u5740\u6709\u8BEF\uFF0C\u8BF7\u91CD\u8BD5
 resetPwdSuccessMsg=\u5BC6\u7801\u4FEE\u6539\u6210\u529F
+resetPwdFailedMsg=\u4e0d\u80fd\u6839\u636e\u6b64token\u627e\u5230\u6709\u6548\u90ae\u7bb1\u4fe1\u606f
 resetPwdSuccessSend=\u66F4\u6539\u5BC6\u7801\u7684\u786E\u8BA4\u94FE\u63A5\u5DF2\u53D1\u9001\u81F3\u6307\u5B9A\u90AE\u7BB1
 resetPwdMailSubject=[Solo]\u91CD\u7F6E\u5BC6\u7801
 resetPwdMailBody=\u60F3\u66F4\u6539\u5BC6\u7801\uFF0C\u8BF7\u6253\u5F00\u4E0B\u9762\u94FE\u63A5\uFF1B\u82E5\u4E0D\u60F3\u4FEE\u6539\uFF0C\u53EA\u8981\u5FFD\u7565\u6B64\u6B21\u90AE\u4EF6\uFF0C\u7CFB\u7EDF\u5E76\u4E0D\u4F1A\u81EA\u52A8\u4FEE\u6539\u60A8\u7684\u5BC6\u7801\u3002<p>

--- a/src/main/webapp/reset-pwd.ftl
+++ b/src/main/webapp/reset-pwd.ftl
@@ -18,8 +18,8 @@ ${forgotLabel}
        <label for="emailOrPassword">
        ${userPasswordLabel}
        </label>
-        <input id="emailOrPassword"/>
+        <input type="password" id="emailOrPassword"/>
-        <input type="hidden" id="userEmailHidden" value="${userEmailHidden}" />
+		<input type="hidden" id="token" value="${tokenHidden}" />
        <button id="sendBtn" onclick='reset();'>${ok}</button>
        <span id="tip"></span>
    </div>
@@ -52,7 +52,7 @@ ${forgotLabel}
        }
        var requestJSONObject = {
            "newPwd": $("#emailOrPassword").val(),
-            "userEmail": $("#userEmailHidden").val()
+            "token": $("#token").val()
        };
        $("#tip").html("<img src='${staticServePath}/images/loading.gif'/> loading...");

--- a/src/test/resources/reset-pwd.ftl
+++ b/src/test/resources/reset-pwd.ftl
@@ -44,8 +44,8 @@
                            <label for="emailOrPassword">
                                ${userPasswordLabel}
                            </label>
-                            <input id="emailOrPassword"/>
+                            <input type="password" id="emailOrPassword"/>
-                            <input type="hidden" id="userEmailHidden" value="${userEmailHidden}" />
+                            <input type="hidden" id="token" value="${tokenHidden}" />
                            <button id="sendBtn" onclick='reset();'>${ok}</button>
                            <span id="tip"></span>
                        </div>
@@ -92,7 +92,7 @@
                }
                var requestJSONObject = {
                    "newPwd": $("#emailOrPassword").val(),
-                    "userEmail": $("#userEmailHidden").val()
+                    "token": $("#token").val()
                };
                $("#tip").html("<img src='${staticServePath}/images/loading.gif'/> loading...");