From 87a30ff064c14ecdac1dd7a67c237a7299312bd5 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Mon, 28 Jul 2014 19:27:50 +0000
Subject: bug 3050: increase security on reset password algorithm.

* reset key has a 1-hour life
* reset key is automatically deleted once used
* reset key is stored as a hash

Thank you effigies for code suggestions


git-svn-id: http://piwigo.org/svn/trunk@29111 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 install/db/144-database.php | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 install/db/144-database.php

(limited to 'install')

diff --git a/install/db/144-database.php b/install/db/144-database.php
new file mode 100644
index 000000000..6f1e7b936
--- /dev/null
+++ b/install/db/144-database.php
@@ -0,0 +1,43 @@
+<?php
+// +-----------------------------------------------------------------------+
+// | Piwigo - a PHP based photo gallery                                    |
+// +-----------------------------------------------------------------------+
+// | Copyright(C) 2008-2014 Piwigo Team                  http://piwigo.org |
+// | Copyright(C) 2003-2008 PhpWebGallery Team    http://phpwebgallery.net |
+// | Copyright(C) 2002-2003 Pierrick LE GALL   http://le-gall.net/pierrick |
+// +-----------------------------------------------------------------------+
+// | This program is free software; you can redistribute it and/or modify  |
+// | it under the terms of the GNU General Public License as published by  |
+// | the Free Software Foundation                                          |
+// |                                                                       |
+// | This program is distributed in the hope that it will be useful, but   |
+// | WITHOUT ANY WARRANTY; without even the implied warranty of            |
+// | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU      |
+// | General Public License for more details.                              |
+// |                                                                       |
+// | You should have received a copy of the GNU General Public License     |
+// | along with this program; if not, write to the Free Software           |
+// | Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
+// | USA.                                                                  |
+// +-----------------------------------------------------------------------+
+
+if (!defined('PHPWG_ROOT_PATH'))
+{
+  die('Hacking attempt!');
+}
+
+$upgrade_description = 'add activation_key_expire';
+
+// we use PREFIX_TABLE, in case Piwigo uses an external user table
+pwg_query('
+ALTER TABLE '.USER_INFOS_TABLE.'
+  CHANGE activation_key activation_key VARCHAR(255) DEFAULT NULL,
+  ADD COLUMN activation_key_expire DATETIME DEFAULT NULL AFTER activation_key
+;');
+
+// purge current expiration keys
+pwg_query('UPDATE '.USER_INFOS_TABLE.' SET activation_key = NULL;');
+
+echo "\n".$upgrade_description."\n";
+
+?>
-- 
cgit v1.2.3