[Pkg-owncloud-commits] [owncloud] 89/129: Ensure the password is only hashed in case it's changed on the client - fixes #19950

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch stable8
in repository owncloud.

commit 2a0460d88538854aad1d77a7b15007a53dfc0a30
Author: Thomas Müller <thomas.mueller at tmit.eu>
Date:   Thu Oct 22 17:32:40 2015 +0200

    Ensure the password is only hashed in case it's changed on the client - fixes #19950
---
 core/js/shareitemmodel.js   | 11 +++++++++--
 lib/private/share/share.php | 18 +++++++++++-------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/core/js/shareitemmodel.js b/core/js/shareitemmodel.js
index 1cf116f..ae3cb0c 100644
--- a/core/js/shareitemmodel.js
+++ b/core/js/shareitemmodel.js
@@ -116,7 +116,8 @@
 
 			// TODO: use backbone's default value mechanism once this is a separate model
 			var requiredAttributes = [
-				{ name: 'password',	   defaultValue: '' },
+				{ name: 'password', defaultValue: '' },
+				{ name: 'passwordChanged', defaultValue: false },
 				{ name: 'permissions', defaultValue: OC.PERMISSION_READ },
 				{ name: 'expiration', defaultValue: this.configModel.getDefaultExpirationDateString() }
 			];
@@ -136,11 +137,16 @@
 				}
 			});
 
+			var password = {
+				password: attributes.password,
+				passwordChanged: attributes.passwordChanged
+			};
+
 			OC.Share.share(
 				itemType,
 				itemSource,
 				OC.Share.SHARE_TYPE_LINK,
-				attributes.password,
+				password,
 				attributes.permissions,
 				this.fileInfoModel.get('name'),
 				attributes.expiration,
@@ -208,6 +214,7 @@
 		 */
 		setPassword: function(password) {
 			this.get('linkShare').password = password;
+			this.get('linkShare').passwordChanged = true;
 		},
 
 		addShare: function(attributes, options) {
diff --git a/lib/private/share/share.php b/lib/private/share/share.php
index e5fa3bf..d50836f 100644
--- a/lib/private/share/share.php
+++ b/lib/private/share/share.php
@@ -775,15 +775,19 @@ class Share extends Constants {
 					$updateExistingShare = true;
 				}
 
-				// Generate hash of password - same method as user passwords
-				if (is_string($shareWith) && $shareWith !== '') {
-					self::verifyPassword($shareWith);
-					$shareWith = \OC::$server->getHasher()->hash($shareWith);
+				// Generate hash of password if the password was changed on the client
+				if (isset($shareWith['passwordChanged']) && $shareWith['passwordChanged'] === 'true') {
+					$shareWith = $shareWith['password'];
+					if (is_string($shareWith) && $shareWith !== '') {
+						self::verifyPassword($shareWith);
+						$shareWith = \OC::$server->getHasher()->hash($shareWith);
+					}
 				} else {
-					// reuse the already set password, but only if we change permissions
-					// otherwise the user disabled the password protection
-					if ($checkExists && (int)$permissions !== (int)$oldPermissions) {
+					// reuse the existing password if it was not updated from the client
+					if ($updateExistingShare) {
 						$shareWith = $checkExists['share_with'];
+					} else {
+						$shareWith = '';
 					}
 				}
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud.git