Merge branch '0.4-maintenance'

2025-01-20 22:42:53 -05:00 · 2014-01-30 13:17:58 +00:00 · 2014-01-30 13:17:58 +00:00 · 5491f296ac
commit 5491f296ac
parent c2bb793c36 75d15ea7be
4 changed files with 865 additions and 190 deletions
--- a/core/client/views/post-settings.js
+++ b/core/client/views/post-settings.js
@ -5,8 +5,8 @@
 (function () {
    "use strict";

-    var parseDateFormats = ['DD MMM YY  HH:mm', 'DD MMM YYYY HH:mm', 'DD/MM/YY HH:mm', 'DD/MM/YYYY HH:mm',
-            'DD-MM-YY HH:mm', 'DD-MM-YYYY HH:mm'],
+    var parseDateFormats = ["DD MMM YY HH:mm", "DD MMM YYYY HH:mm", "DD/MM/YY HH:mm", "DD/MM/YYYY HH:mm",
+            "DD-MM-YY HH:mm", "DD-MM-YYYY HH:mm", "YYYY-MM-DD HH:mm"],
        displayDateFormat = 'DD MMM YY @ HH:mm';

    Ghost.View.PostSettings = Ghost.View.extend({
@ -158,7 +158,8 @@
            e.preventDefault();
            var self = this,
                errMessage = '',
-                pubDate = moment(self.model.get('published_at')).format(displayDateFormat),
+                pubDate = self.model.get('published_at') ? moment(self.model.get('published_at'))
+                    .format(displayDateFormat) : '',
                pubDateEl = e.currentTarget,
                newPubDate = pubDateEl.value,
                pubDateMoment,
--- a/core/server/models/user.js
+++ b/core/server/models/user.js
@ -11,7 +11,9 @@ var User,
    Role           = require('./role').Role,
    Permission     = require('./permission').Permission,
    http           = require('http'),
-    crypto         = require('crypto');
+    crypto         = require('crypto'),
+
+    tokenSecurity  = {};

 function validatePasswordLength(password) {
    try {
@ -268,6 +270,7 @@ User = ghostBookshelf.Model.extend({
    },

    validateToken: function (token, dbHash) {
+        /*jslint bitwise:true*/
        // TODO: Is there a chance the use of ascii here will cause problems if oldPassword has weird characters?
        var tokenText = new Buffer(token, 'base64').toString('ascii'),
            parts,
@ -288,17 +291,36 @@ User = ghostBookshelf.Model.extend({
            return when.reject(new Error("Invalid token expiration"));
        }

-        // This is easy to fake, but still check anyway.
+        // Check if token is expired to prevent replay attacks
        if (expires < Date.now()) {
            return when.reject(new Error("Expired token"));
        }

+        // to prevent brute force attempts to reset the password the combination of email+expires is only allowed for 10 attempts
+        if (tokenSecurity[email + '+' + expires] && tokenSecurity[email + '+' + expires].count >= 10) {
+            return when.reject(new Error("Token locked"));
+        }
+
        return this.generateResetToken(email, expires, dbHash).then(function (generatedToken) {
-            // Check for matching tokens
-            if (token === generatedToken) {
+            // Check for matching tokens with timing independent comparison
+            var diff = 0,
+                i;
+
+            // check if the token lenght is correct
+            if (token.length !== generatedToken.length) {
+                diff = 1;
+            }
+
+            for (i = token.length - 1; i >= 0; i = i - 1) {
+                diff |= token.charCodeAt(i) ^ generatedToken.charCodeAt(i);
+            }
+
+            if (diff === 0) {
                return when.resolve(email);
            }

+            // increase the count for email+expires for each failed attempt
+            tokenSecurity[email + '+' + expires] = {count: tokenSecurity[email + '+' + expires] ? tokenSecurity[email + '+' + expires].count + 1 : 1};
            return when.reject(new Error("Invalid token"));
        });
    },
--- a/core/shared/vendor/moment.js
+++ b/core/shared/vendor/moment.js
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
    "name"        : "ghost",
-    "version"     : "0.4.1-rc1",
+    "version"     : "0.4.1",
    "description" : "Just a blogging platform.",
    "author"      : "Ghost Foundation",
    "homepage"    : "http://ghost.org",