Fork me on GitHub
Subscribe 2

Ticket #1143 (open enhancement)

Password recovery

  • Created: 2019-12-23 12:36:53
  • Reported by: Visman
  • Assigned to: None
  • Milestone: None
  • Component: security
  • Priority: lowest

When recovering the password, the letter should be sent to email from the database, and not to the email entered by the user.

History

Franz 2019-12-30 10:46:10

Hi, can you please explain what that would change? Unless I am missing something, we are [making an equality check in the query](https://github.com/fluxbb/fluxbb/blob/b … n.php#L142), so the value in the database would be exactly the same?

What's the "security" aspect here?

Visman 2019-12-30 13:00:07

Here rather a preventive ticket. Suddenly FluxBB will start to support Unicode email addresses. Therefore Priority == lowest.

Hacking GitHub with Unicode's dotless 'i': https://eng.getwisdom.io/hacking-github … dotless-i/

PHP 7.3 https://www.php.net/manual/en/migration … ng-folding

Franz 2019-12-30 23:08:54

Hmm, very interesting and insightful, thanks!

For the concrete fix: using the value from the database wouldn't help us much, as we apply strtolower() when storing the email address as well. hmm

Comment edited 1 times (Diff)