[SECURITY] Respect expiration time of password reset token

When a TYPO3 backend user performs a password reset request, a password reset link including an expiration time is sent to the user. The expiration time is included in HMAC calculation of the saved password reset hash, but it is never evaluated if the expiration time is exceeded. This change adds the missing validity check for the expiration time included in the password reset link. Resolves: #97998 Releases: main, 11.5, 10.4 Change-Id: I8a1730faf6489e5c5eebb44ff4f82606785bd637 Security-Bulletin: TYPO3-CORE-SA-2022-008 Security-References: CVE-2022-36106 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75711 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Sep 13, 2022 · 00b52a4 · 00b52a4
1 parent f0fc9c4
commit 00b52a4
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/typo3/sysext/backend/Classes/Authentication/PasswordReset.php b/typo3/sysext/backend/Classes/Authentication/PasswordReset.php
@@ -278,6 +278,11 @@ public function isValidResetTokenFromRequest(ServerRequestInterface $request): b
      */
     protected function findValidUserForToken(string $token, string $identity, int $expirationTimestamp): ?array
     {
+        // Early return if token expired
+        if ($expirationTimestamp < time()) {
+            return null;
+        }
+
         $user = null;
         // Find the token in the database
         $queryBuilder = $this->getPreparedQueryBuilder();