HOR-3433

Fix ProcessMaker User Password Hash Disclosure.
2017-08-09 14:40:02 -04:00
parent b839a247d9
commit 2f3daccd6b
5 changed files with 43 additions and 4 deletions
--- a/workflow/engine/src/ProcessMaker/BusinessModel/User.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/User.php
@@ -785,7 +785,7 @@ class User
                    $oUser = new Users();
                    $aUser = $oUser->load($userUid);
                    $oUserProperty = new UsersProperties();
-                    $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($userUid, array("USR_PASSWORD_HISTORY" => serialize(array($aUser["USR_PASSWORD"]))));
+                    $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($userUid, array("USR_PASSWORD_HISTORY" => serialize(array($oUser->getUsrPassword()))));
                    $aUserProperty["USR_LOGGED_NEXT_TIME"] = $arrayData["USR_LOGGED_NEXT_TIME"];
                    $oUserProperty->update($aUserProperty);
                }
--- a/workflow/engine/src/ProcessMaker/BusinessModel/WebEntry.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/WebEntry.php
@@ -382,7 +382,7 @@ class WebEntry
                    $arrayUserData = $user->load($arrayWebEntryData["USR_UID"]);

                    $usrUsername = $arrayUserData["USR_USERNAME"];
-                    $usrPassword = $arrayUserData["USR_PASSWORD"];
+                    $usrPassword = $user->getUsrPassword();

                    $dynaForm = new \Dynaform();