Mascali/raspisms
1
0
Fork 0
mirror of https://github.com/RaspbianFrance/raspisms.git synced 2025-04-20 16:37:48 +02:00
Code Issues Projects Releases Wiki Activity

encode token to prevent bad url

Browse source
This commit is contained in:
osaajani 2025-04-15 15:18:43 +02:00
parent 01f836108d
commit aaa0fe5701
3 changed files with 31 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
VERSION
View file

@ -1 +1 @@
v3.9.3
v3.9.4

24
controllers/internals/Tool.php
View file

@ -463,4 +463,28 @@ use BenMorel\GsmCharsetConverter\Converter;
$converter = new Converter();
return $converter->cleanUpUtf8String($text, true, '?');
}
/**
* Encode some data into the URL version of Base64 encoding
*
* @param string $data Input data
* @return string A Base64 (URL-safe) encoded string
*/
public static function url_base64_encode(string $data): string
{
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}
/**
* Decode a URL-safe Base64 encoded string
*
* @param string $data Encoded data
* @return string Decoded original data
*/
public static function url_base64_decode(string $data): string
{
$replaced = strtr($data, '-_', '+/');
$padded = str_pad($replaced, mb_strlen($replaced) % 4 === 0 ? mb_strlen($replaced) : mb_strlen($replaced) + 4 - mb_strlen($replaced) % 4, '=', STR_PAD_RIGHT);
return base64_decode($padded);
}
}

8
controllers/publics/Connect.php
View file

@ -11,6 +11,8 @@
namespace controllers\publics;
use controllers\internals\Tool;
/**
* Page de connexion.
*/
@ -117,8 +119,9 @@ namespace controllers\publics;
$Tokenista = new \Ingenerator\Tokenista(APP_SECRET);
$token = $Tokenista->generate(3600, ['id_user' => $user['id']]);
$encoded_token = Tool::url_base64_encode($token);
$reset_link = \descartes\Router::url('Connect', 'reset_password', ['id_user' => $user['id'], 'token' => $token]);
$reset_link = \descartes\Router::url('Connect', 'reset_password', ['id_user' => $user['id'], 'token' => $encoded_token]);
$mailer = new \controllers\internals\Mailer();
$email_send = $mailer->enqueue($email, EMAIL_RESET_PASSWORD, ['reset_link' => $reset_link]);
@ -139,7 +142,8 @@ namespace controllers\publics;
$Tokenista = new \Ingenerator\Tokenista(APP_SECRET);
if (!$Tokenista->validate($token, ['id_user' => $id_user]))
$decoded_token = Tool::url_base64_decode($token);
if (!$Tokenista->validate($decoded_token, ['id_user' => $id_user]))
{
return $this->render('connect/reset-password-invalid');
}