[SS-2016-008] Reset Member::Salt on password change

silverstripe · Aug 15, 2016 · 298f615 · 298f615
1 parent 4d9f929
commit 298f615
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/security/Member.php b/security/Member.php
@@ -786,8 +786,8 @@ public static function currentUserID() {
 	 * @return string Returns a random password.
 	 */
 	public static function create_new_password() {
-		if(file_exists(Security::get_word_list())) {
-			$words = file(Security::get_word_list());
+		if(file_exists(Security::config()->word_list)) {
+			$words = file(Security::config()->word_list);
 
 			list($usec, $sec) = explode(' ', microtime());
 			srand($sec + ((float) $usec * 100000));
@@ -799,7 +799,7 @@ public static function create_new_password() {
 		} else {
 			$random = rand();
 			$string = md5($random);
-			$output = substr($string, 0, 6);
+			$output = substr($string, 0, 8);
 			return $output;
 		}
 	}
@@ -858,6 +858,9 @@ public function onBeforeWrite() {
 		// Note that this only works with cleartext passwords, as we can't rehash
 		// existing passwords.
 		if((!$this->ID && $this->Password) || $this->isChanged('Password')) {
+			//reset salt so that it gets regenerated - this will invalidate any persistant login cookies
+			// or other information encrypted with this Member's settings (see self::encryptWithUserSettings)
+			$this->Salt = '';
 			// Password was changed: encrypt the password according the settings
 			$encryption_details = Security::encrypt_password(
 				$this->Password, // this is assumed to be cleartext