Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#45221] - [4.x] Security Hardening: Unset the activation token if the mail address changes

RTC PR-4.4-dev Pending

User tests: Successful: Unsuccessful:

avatar SniperSister
SniperSister
25 Mar 2025

Summary of Changes

With this change we make sure the reset token is invalidated (set to an empty string) when the account email is changed. This ensures that only the owner of the currently set email address can perform reset or activation tasks.

Testing Instructions

  • Create an new user.
  • request an PW reset
  • check that the mail got out
  • login (without resetting the PW)
  • change the email (Frontend or Backend)
  • try to reset the PW with the reset token send to the old mail

Actual result BEFORE applying this Pull Request

Without this patch the old token still works.

Expected result AFTER applying this Pull Request

With this patch this is not possible any more as the token has been changed at the time the mail has been changed

Link to documentations

Please select:

  • Documentation link for docs.joomla.org:

  • No documentation changes for docs.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar SniperSister SniperSister - open - 25 Mar 2025
avatar SniperSister SniperSister - change - 25 Mar 2025
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 25 Mar 2025
Category Libraries
avatar fgsw
fgsw - comment - 26 Mar 2025

Actual result BEFORE applying this Pull Request

With this patch this is not possible any more as the token has been changed at the time the mail has been changed

Expected result AFTER applying this Pull Request

Without this patch the old token still works.

@SniperSister Should the description of "Before" changed with "After"?

avatar SniperSister SniperSister - change - 26 Mar 2025
The description was changed
avatar SniperSister SniperSister - edited - 26 Mar 2025
avatar SniperSister
SniperSister - comment - 26 Mar 2025

@fgsw you are right! :) updated the description accordingly!

avatar SniperSister SniperSister - change - 26 Mar 2025
Labels Added: PR-4.4-dev
avatar ssnobben
ssnobben - comment - 26 Mar 2025

@SniperSister is this an issues also on Joomla 5.2+ ?

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45221.

avatar SniperSister
SniperSister - comment - 26 Mar 2025

@ssnobben yes it is.

avatar tecpromotion
tecpromotion - comment - 3 Apr 2025

works

2025-04-03_14-03-46

avatar tecpromotion tecpromotion - test_item - 3 Apr 2025 - Tested successfully
avatar tecpromotion
tecpromotion - comment - 3 Apr 2025

I have tested this item ✅ successfully on 1514412

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45221.

avatar richard67 richard67 - test_item - 3 Apr 2025 - Tested successfully
avatar richard67
richard67 - comment - 3 Apr 2025

I have tested this item ✅ successfully on 1514412

I was able to reproduce the issue and to test that the patch fixes it. In addition I've successfully verified that password reset with the right email address still works as well as before.

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45221.

avatar richard67 richard67 - change - 3 Apr 2025
Status Pending Ready to Commit
avatar richard67
richard67 - comment - 3 Apr 2025

RTC

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/45221.

avatar MacJoom MacJoom - change - 3 Apr 2025
Status Ready to Commit Fixed in Code Base
Closed_Date 0000-00-00 00:00:00 2025-04-03 12:33:25
Closed_By MacJoom
Labels Added: RTC
avatar MacJoom MacJoom - close - 3 Apr 2025
avatar MacJoom MacJoom - merge - 3 Apr 2025
avatar MacJoom
MacJoom - comment - 3 Apr 2025

Thank you very much!

Add a Comment

Login with GitHub to post a comment