HOR-3433

Fix ProcessMaker User Password Hash Disclosure.
2017-08-09 14:40:02 -04:00
parent b839a247d9
commit 2f3daccd6b
5 changed files with 43 additions and 4 deletions
--- a/workflow/engine/src/ProcessMaker/BusinessModel/User.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/User.php
@@ -785,7 +785,7 @@ class User
                    $oUser = new Users();
                    $aUser = $oUser->load($userUid);
                    $oUserProperty = new UsersProperties();
-                    $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($userUid, array("USR_PASSWORD_HISTORY" => serialize(array($aUser["USR_PASSWORD"]))));
+                    $aUserProperty = $oUserProperty->loadOrCreateIfNotExists($userUid, array("USR_PASSWORD_HISTORY" => serialize(array($oUser->getUsrPassword()))));
                    $aUserProperty["USR_LOGGED_NEXT_TIME"] = $arrayData["USR_LOGGED_NEXT_TIME"];
                    $oUserProperty->update($aUserProperty);
                }