[PATCH PoC] secure password reset implementation

Mads Kiilerich mads at kiilerich.com
Wed May 20 06:00:02 EDT 2015


On 05/20/2015 10:38 AM, Andrew Shadura wrote:
> Hello,
>
> On Tue, 19 May 2015 17:10:46 +0200
> Mads Kiilerich <mads at kiilerich.com> wrote:
>>> @@ -296,10 +300,19 @@ class UserModel(BaseModel):
>>>    
>>>            user_email = data['email']
>>>            user = User.get_by_email(user_email)
>>> +        timestamp = int(time.time())
>>>            if user:
>>>                log.debug('password reset user found %s' % user)
>>> +            token = hashlib.sha1('%s%s%s%s%s' % (user.user_id,
>>> +                                               timestamp,
>>> +                                               user.password,
>>> +                                               session.id,
>>> +
>>> config.get('app_instance_uuid'))
>>> +            ).hexdigest()
>> Now we are reinventing crypto. That is dangerous. One thing: One
>> thing is that hashes could give conflicts in the hash but we should
>> make sure that we never got "collisions" in the input string - such
>> collisions could perhaps be used as attacks. Perhaps use \n as
>> delimiter of the fields?
> Well, none of the data we use here is accepted directly from user
> (except timestamp — when verifying the token; I should probably
> validate it before using). From what I saw in similar cases elsewhere
> (for example, OAuth 1.0), sometimes the data is escaped to avoid
> collisions.

I agree ... but adding a separator that can't occur in the inputs would 
make the code more resilient to future errors


By the way, for the record to others: We will need a similar scheme for 
verifying email addresses configured by users.

/Mads


More information about the kallithea-general mailing list