From 7a973041e5358ff3afe020e403a4f4fd80431a93 Mon Sep 17 00:00:00 2001
From: Peter Hormanns <peter.hormanns@jalin.de>
Date: Fri, 3 Dec 2021 20:36:13 +0100
Subject: [PATCH] invalidate password reset token

---
 .../jalin/ldapadmin/ldap/PasswordValidator.java  |  2 +-
 .../ldapadmin/web/ResetPasswordServlet.java      | 16 +++++++++++++++-
 .../de/jalin/ldapadmin/web/messages.properties   |  1 +
 .../jalin/ldapadmin/web/messages_de.properties   |  1 +
 .../jalin/ldapadmin/web/messages_en.properties   |  1 +
 5 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/main/java/de/jalin/ldapadmin/ldap/PasswordValidator.java b/src/main/java/de/jalin/ldapadmin/ldap/PasswordValidator.java
index 47061ff..2ec216f 100644
--- a/src/main/java/de/jalin/ldapadmin/ldap/PasswordValidator.java
+++ b/src/main/java/de/jalin/ldapadmin/ldap/PasswordValidator.java
@@ -8,7 +8,7 @@ import org.apache.commons.codec.binary.Base64;
 
 public class PasswordValidator {
 
-    private static final int MIN_PASSWORD_LEN = 6;
+    private static final int MIN_PASSWORD_LEN = 8;
 	private static final Base64 BASE64 = new Base64();
 	private static final String LABEL = "{SSHA512}";
 	private static final String SALT_CHARACTERS = 
diff --git a/src/main/java/de/jalin/ldapadmin/web/ResetPasswordServlet.java b/src/main/java/de/jalin/ldapadmin/web/ResetPasswordServlet.java
index 8e68a37..86c3154 100644
--- a/src/main/java/de/jalin/ldapadmin/web/ResetPasswordServlet.java
+++ b/src/main/java/de/jalin/ldapadmin/web/ResetPasswordServlet.java
@@ -8,6 +8,10 @@ import java.io.PrintStream;
 import java.io.PrintWriter;
 import java.io.Writer;
 import java.net.InetAddress;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.nio.file.attribute.FileTime;
 import java.security.NoSuchAlgorithmException;
 import java.util.Collection;
 import java.util.SortedMap;
@@ -53,7 +57,17 @@ public class ResetPasswordServlet extends AbstractLDAPServlet {
         cleanSession(httpSession);
         final String token = req.getParameter("token");
         if (token != null && !token.isEmpty()) {
-            final File passwdResetFile = new File(tempDir + "/passwd" + token + ".tmp");
+            final String pathToTempFile = tempDir + "/passwd" + token + ".tmp";
+			final File passwdResetFile = new File(pathToTempFile);
+            final BasicFileAttributes fileAttributes = Files.readAttributes(Paths.get(pathToTempFile), BasicFileAttributes.class);
+            final FileTime creationTime = fileAttributes.creationTime();
+            final long threeHoursDifference = 10800000L;
+			if (creationTime.compareTo(FileTime.fromMillis(System.currentTimeMillis() - threeHoursDifference)) < 0) {
+                LOG.warning("password reset token has expired");
+                httpSession.setAttribute("errormessage", new Messages(req.getLocale()).getString("ResetPasswordServlet.passwordreset_tokenexpired"));
+                req.getRequestDispatcher("/reset-password.jsp").forward(req, resp);
+                return;
+            }
             if (passwdResetFile.exists() && passwdResetFile.canRead()) {
                 try (final BufferedReader reader = new BufferedReader(new FileReader(passwdResetFile))) {
                     final String[] uidAndEMail = reader.readLine().split(":");
diff --git a/src/main/resources/de/jalin/ldapadmin/web/messages.properties b/src/main/resources/de/jalin/ldapadmin/web/messages.properties
index e939323..2563544 100644
--- a/src/main/resources/de/jalin/ldapadmin/web/messages.properties
+++ b/src/main/resources/de/jalin/ldapadmin/web/messages.properties
@@ -14,6 +14,7 @@ ResetPasswordServlet.error_sending_email_server=Could not reach email service
 ResetPasswordServlet.error_sending_password_reset=Error sending email
 ResetPasswordServlet.invalid_password_reuse=Invalid reuse of a password known from history. A new password is required.
 ResetPasswordServlet.no_valid_passwordreset_request=Could not find a valid password request.
+ResetPasswordServlet.passwordreset_tokenexpired=The password reset token has expired
 ResetPasswordServlet.password_changed=Password changed
 ResetPasswordServlet.passwords_donot_match=Passwords do not match
 ResetPasswordServlet.simple_password=Your password is too simple. It should contain at least one lowercase and uppercase letter and a digit / secial character and a minimum length of 12 characters 
diff --git a/src/main/resources/de/jalin/ldapadmin/web/messages_de.properties b/src/main/resources/de/jalin/ldapadmin/web/messages_de.properties
index 0bf263f..4cfbc5f 100644
--- a/src/main/resources/de/jalin/ldapadmin/web/messages_de.properties
+++ b/src/main/resources/de/jalin/ldapadmin/web/messages_de.properties
@@ -14,6 +14,7 @@ ResetPasswordServlet.error_sending_email_server=Konnte Mail Server nicht erreich
 ResetPasswordServlet.error_sending_password_reset=Fehler beim Versand der E-Mail f\u00fcr das Setzen eines neuen Passworts.
 ResetPasswordServlet.invalid_password_reuse=Das Passwort wurde bereits verwendet. Die Passwort-Richtlinie verlangt die Definition eines neuen Passworts.
 ResetPasswordServlet.no_valid_passwordreset_request=Es konnte keine g\u00fcltige Anforderung f\u00fcr ein neues Passwort zugeordnet werden.
+ResetPasswordServlet.passwordreset_tokenexpired=Das Token zum Passwort-Zur\u00fcchsetzen ist abgelaufen.
 ResetPasswordServlet.password_changed=Ihr neues Passwort ist gespeichert.
 ResetPasswordServlet.passwords_donot_match=Die beiden Passwort-Eingaben stimmen nicht \u00fcberein.
 ResetPasswordServlet.simple_password=Ihr Passwort ist zu einfach. Es sollte mindestens einen Klein- und Gro\u00dfbuchstaben und eine Ziffer oder Sonderzeichen enthalten sowie eine Mindestl\u00e4nge von 12 Zeichen aufweisen 
diff --git a/src/main/resources/de/jalin/ldapadmin/web/messages_en.properties b/src/main/resources/de/jalin/ldapadmin/web/messages_en.properties
index e939323..2563544 100644
--- a/src/main/resources/de/jalin/ldapadmin/web/messages_en.properties
+++ b/src/main/resources/de/jalin/ldapadmin/web/messages_en.properties
@@ -14,6 +14,7 @@ ResetPasswordServlet.error_sending_email_server=Could not reach email service
 ResetPasswordServlet.error_sending_password_reset=Error sending email
 ResetPasswordServlet.invalid_password_reuse=Invalid reuse of a password known from history. A new password is required.
 ResetPasswordServlet.no_valid_passwordreset_request=Could not find a valid password request.
+ResetPasswordServlet.passwordreset_tokenexpired=The password reset token has expired
 ResetPasswordServlet.password_changed=Password changed
 ResetPasswordServlet.passwords_donot_match=Passwords do not match
 ResetPasswordServlet.simple_password=Your password is too simple. It should contain at least one lowercase and uppercase letter and a digit / secial character and a minimum length of 12 characters