Fixed Time limit password reset

[Kent]

An unused password reset code can be used at any time so long as another password reset isn't requested. Sorry if a time limit is already implemented and I missed it.

Reproduce:

insert into xf_user_confirmation (`user_id`, `confirmation_type`, `confirmation_key`, `confirmation_date`) values('3', 'password', 'test', unix_timestamp() - (60*60*24*30*3));
insert into xf_user_confirmation (`user_id`, `confirmation_type`, `confirmation_key`, `confirmation_date`) values('4', 'password', 'test', 0);

/lost-password/3/confirm?c=test
/lost-password/4/confirm?c=test

Doing something like this:

    public function validateUserConfirmationRecord($key, array $confirmation)
    {
        if (XenForo_Application::$time - $confirmation['confirmation_date'] >= 60*60*24*7) // 7 days
        {
            return false;
        }

        return ($confirmation['confirmation_key'] === $key);
    }

Or adding a daily cron to prune old password resets would solve it.

 

[Slavik]

I remember this being commented on before... and I swear they were set with an expiry.

Let me poke $Mike...

 

[Mike]

Yeah, I thought they had one too, but apparently not.

It's now cleaned up hourly (after 3 days).