diff --git a/mod/lostpass.php b/mod/lostpass.php index 2ce396e36..211477b0d 100644 --- a/mod/lostpass.php +++ b/mod/lostpass.php @@ -41,10 +41,10 @@ function lostpass_post(App $a) DI::baseUrl()->redirect(); } - $pwdreset_token = Strings::getRandomName(12) . random_int(1000, 9999); + $pwdreset_token = Strings::getRandomHex(32); $fields = [ - 'pwdreset' => $pwdreset_token, + 'pwdreset' => hash('sha256', $pwdreset_token), 'pwdreset_time' => DateTimeFormat::utcNow() ]; $result = DBA::update('user', $fields, ['uid' => $user['uid']]); @@ -95,7 +95,7 @@ function lostpass_content(App $a) if ($a->argc > 1) { $pwdreset_token = $a->argv[1]; - $user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'pwdreset_time', 'language'], ['pwdreset' => $pwdreset_token]); + $user = DBA::selectFirst('user', ['uid', 'username', 'nickname', 'email', 'pwdreset_time', 'language'], ['pwdreset' => hash('sha256', $pwdreset_token)]); if (!DBA::isResult($user)) { notice(DI::l10n()->t("Request could not be verified. \x28You may have previously submitted it.\x29 Password reset failed."));