• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Time limit password reset

Kent

Active member
#1
An unused password reset code can be used at any time so long as another password reset isn't requested. Sorry if a time limit is already implemented and I missed it.

Reproduce:
Code:
insert into xf_user_confirmation (`user_id`, `confirmation_type`, `confirmation_key`, `confirmation_date`) values('3', 'password', 'test', unix_timestamp() - (60*60*24*30*3));
insert into xf_user_confirmation (`user_id`, `confirmation_type`, `confirmation_key`, `confirmation_date`) values('4', 'password', 'test', 0);
/lost-password/3/confirm?c=test
/lost-password/4/confirm?c=test

Doing something like this:
PHP:
    public function validateUserConfirmationRecord($key, array $confirmation)
    {
        if (XenForo_Application::$time - $confirmation['confirmation_date'] >= 60*60*24*7) // 7 days
        {
            return false;
        }

        return ($confirmation['confirmation_key'] === $key);
    }
Or adding a daily cron to prune old password resets would solve it.
 

Slavik

XenForo moderator
Staff member
#2
I remember this being commented on before... and I swear they were set with an expiry.

Let me poke $Mike...