Merge branch 'seeddms-6.0.x' into seeddms-6.1.x

2025-11-27 18:10:42 +00:00 · 2022-11-02 09:01:56 +01:00 · 2022-11-02 09:01:56 +01:00 · a66537b747
commit a66537b747
parent 757d950802 dc6b153df8
4 changed files with 17 additions and 8 deletions
--- a/SeedDMS_Core/Core/inc.ClassDMS.php
+++ b/SeedDMS_Core/Core/inc.ClassDMS.php
@ -3334,7 +3334,15 @@ class SeedDMS_Core_DMS {
 	 * @return string|boolean hash value of false in case of an error
 	 */
 	function createPasswordRequest($user) { /* {{{ */
-		$hash = md5(uniqid(time()));
+		$lenght = 32;
+		if (function_exists("random_bytes")) {
+			$bytes = random_bytes(ceil($lenght / 2));
+		} elseif (function_exists("openssl_random_pseudo_bytes")) {
+			$bytes = openssl_random_pseudo_bytes(ceil($lenght / 2));
+		} else {
+			return false;
+		}
+		$hash = bin2hex($bytes);
 		$queryStr = "INSERT INTO `tblUserPasswordRequest` (`userID`, `hash`, `date`) VALUES (" . $user->getId() . ", " . $this->db->qstr($hash) .", ".$this->db->getCurrentDatetime().")";
 		$resArr = $this->db->getResult($queryStr);
 		if (is_bool($resArr) && !$resArr) return false;
--- a/SeedDMS_Core/package.xml
+++ b/SeedDMS_Core/package.xml
@ -2443,6 +2443,7 @@ better error checking in SeedDMS_Core_Document::cancelCheckOut()
   <notes>
 - fix SeedDMS_Core_User::getDocumentContents()
 - fix SeedDMS_Core_File::fileExtension()
+- SeedDMS_Core_DMS::createPasswordRequest() creates a cryptographically secure hash
   </notes>
  </release>
 </changelog>
--- a/op/op.PasswordForgotten.php
+++ b/op/op.PasswordForgotten.php
@ -27,7 +27,7 @@ include("../inc/inc.Extension.php");
 include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassSession.php");
 include("../inc/inc.ClassUI.php");
-include("../inc/inc.ClassEmailNotify.php");
+//include("../inc/inc.ClassEmailNotify.php");

 include $settings->_rootDir . "languages/" . $settings->_language . "/lang.inc";

--- a/webdav/webdav.php
+++ b/webdav/webdav.php
@ -206,7 +206,8 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
 	 */
 	function reverseLookup($path) /* {{{ */
 	{
-		$path = rawurldecode($path);
+		// do not use rawurl[de|en]code anymore, search for rawurlencode
+//		$path = rawurldecode($path);
 		if($this->logger)
 			$this->logger->log('reverseLookup: path='.$path.'', PEAR_LOG_DEBUG);

@ -384,8 +385,8 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
 			array_shift($patharr);
 			$path = '';
 			foreach($patharr as $pathseg)
-				$path .= '/'.rawurlencode($pathseg->getName());
-//				$path .= '/'.$pathseg->getName();
+//				$path .= '/'.rawurlencode($pathseg->getName());
+				$path .= '/'.$pathseg->getName();
 			if(!$path) {
 				$path = '/';
 				$info["props"][] = $this->mkprop("isroot", "true");
@ -407,9 +408,8 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server
 			array_shift($patharr);
 			$path = '/';
 			foreach($patharr as $pathseg)
-				$path .= rawurlencode($pathseg->getName()).'/';
-//				$path .= $pathseg->getName().'/';
-//			$info["path"] = htmlspecialchars($path.rawurlencode($obj->getName()));
+//				$path .= rawurlencode($pathseg->getName()).'/';
+				$path .= $pathseg->getName().'/';
 			if($this->useorgfilename) {
 				/* Add the document id and version to the display name.
 				 * I doesn't harm because for