snipe-it/app/Http/Controllers/Auth/ForgotPasswordController.php

<?php

namespace App\Http\Controllers\Auth;

use App\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Validator;

class ForgotPasswordController extends Controller
{
    /*
    |--------------------------------------------------------------------------
    | Password Reset Controller
    |--------------------------------------------------------------------------
    |
    | This controller is responsible for handling password reset emails and
    | includes a trait which assists in sending these notifications from
    | your application to your users. Feel free to explore this trait.
    |
    */

    use SendsPasswordResetEmails;

    /**
     * Create a new controller instance.
     *
     * @return void
     */
    public function __construct()
    {
        $this->middleware('guest');
    }

    /**
     * Get the e-mail subject line to be used for the reset link email.
     * Overriding method "getEmailSubject()" from trait "use ResetsPasswords"
     * @return string
     */
    public function getEmailSubject()
    {
        return property_exists($this, 'subject') ? $this->subject : \Lang::get('mail.reset_link');
    }


    /**
     * Send a reset link to the given user.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Http\RedirectResponse
     */
    public function sendResetLinkEmail(Request $request)
    {

        /**
         * Let's set a max character count here to prevent potential
         * buffer overflow issues with attackers sending very large
         * payloads through.
         */
        $this->validate($request, ['email' => 'required|email|max:250']);

        /**
         * If we find a matching email with an activated yser, we will
         * send the password reset link to the user.
         *
         * Once we have attempted to send the link, we will examine the response
         * then see the message we need to show to the user. Finally, we'll send out a proper response.
         */
        $response = $this->broker()->sendResetLink(
            array_merge(
                $request->only('email'),
                ['activated' => '1']
            )
        );

        if ($response === \Password::RESET_LINK_SENT) {
            return redirect()->route('login')->with('status', trans($response));
        }


        /**
         * If an error was returned by the password broker, we will get this message
         * translated so we can notify a user of the problem. We'll redirect back
         * to where the users came from so they can attempt this process again.
         *
         * HOWEVER, we do not want to translate the message if the user isn't found
         * or isn't active, since that would allow an attacker to walk through
         * a dictionary attack and figure out registered user email addresses.
         *
         * Instead we tell the user we've sent an email even though we haven't.
         * It's bad UX, but better security. The compromises we sometimes have to make.
        */

        if ($response == 'passwords.user') {
            \Log::debug('User with email '.$request->input('email').' attempted a password reset request but was not found. No email was sent.');
            return redirect()->route('login')->with('success', trans('passwords.user_inactive'));
        }

        return back()->withErrors(
            ['email' => trans($response)]
        );
    }
}
Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00			`<?php`

			`namespace App\Http\Controllers\Auth;`

			`use App\Http\Controllers\Controller;`
			`use Illuminate\Foundation\Auth\SendsPasswordResetEmails;`
			`use Illuminate\Http\Request;`
Added validation to reject email addresses over 250 characters 2020-03-04 22:08:07 -08:00			`use Illuminate\Support\Facades\Validator;`
Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00
			`class ForgotPasswordController extends Controller`
			`{`
			`/*`
			`\|--------------------------------------------------------------------------`
			`\| Password Reset Controller`
			`\|--------------------------------------------------------------------------`
			`\|`
			`\| This controller is responsible for handling password reset emails and`
			`\| includes a trait which assists in sending these notifications from`
			`\| your application to your users. Feel free to explore this trait.`
			`\|`
			`*/`

			`use SendsPasswordResetEmails;`

			`/**`
			`* Create a new controller instance.`
			`*`
			`* @return void`
			`*/`
			`public function __construct()`
			`{`
			`$this->middleware('guest');`
			`}`

			`/**`
			`* Get the e-mail subject line to be used for the reset link email.`
			`* Overriding method "getEmailSubject()" from trait "use ResetsPasswords"`
			`* @return string`
			`*/`
Small phpcbf cleanup 2016-12-29 14:02:18 -08:00			`public function getEmailSubject()`
			`{`
Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00			`return property_exists($this, 'subject') ? $this->subject : \Lang::get('mail.reset_link');`
			`}`

Added validation to reject email addresses over 250 characters 2020-03-04 22:08:07 -08:00

Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00			`/**`
			`* Send a reset link to the given user.`
			`*`
			`* @param \Illuminate\Http\Request $request`
			`* @return \Illuminate\Http\RedirectResponse`
			`*/`
			`public function sendResetLinkEmail(Request $request)`
			`{`

Added validation to reject email addresses over 250 characters 2020-03-04 22:08:07 -08:00			`/**`
			`* Let's set a max character count here to prevent potential`
			`* buffer overflow issues with attackers sending very large`
			`* payloads through.`
			`*/`
			`$this->validate($request, ['email' => 'required\|email\|max:250']);`

			`/**`
			`* If we find a matching email with an activated yser, we will`
			`* send the password reset link to the user.`
			`*`
			`* Once we have attempted to send the link, we will examine the response`
			`* then see the message we need to show to the user. Finally, we'll send out a proper response.`
			`*/`
Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00			`$response = $this->broker()->sendResetLink(`
Tweaked code/language for password reset 2018-08-14 18:09:33 -07:00			`array_merge(`
			`$request->only('email'),`
			`['activated' => '1']`
			`)`
Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00			`);`

			`if ($response === \Password::RESET_LINK_SENT) {`
			`return redirect()->route('login')->with('status', trans($response));`
			`}`

Added validation to reject email addresses over 250 characters 2020-03-04 22:08:07 -08:00
			`/**`
			`* If an error was returned by the password broker, we will get this message`
			`* translated so we can notify a user of the problem. We'll redirect back`
			`* to where the users came from so they can attempt this process again.`
			`*`
			`* HOWEVER, we do not want to translate the message if the user isn't found`
			`* or isn't active, since that would allow an attacker to walk through`
			`* a dictionary attack and figure out registered user email addresses.`
			`*`
			`* Instead we tell the user we've sent an email even though we haven't.`
			`* It's bad UX, but better security. The compromises we sometimes have to make.`
			`*/`

			`if ($response == 'passwords.user') {`
			`\Log::debug('User with email '.$request->input('email').' attempted a password reset request but was not found. No email was sent.');`
			`return redirect()->route('login')->with('success', trans('passwords.user_inactive'));`
			`}`

Renamed Password controllers to new 5.3 versions 2016-12-14 05:06:15 -08:00			`return back()->withErrors(`
			`['email' => trans($response)]`
			`);`
			`}`
			`}`