[SECURITY] Respect expiration time of password reset token

When a TYPO3 backend user performs a password reset request, a
password reset link including an expiration time is sent to the
user. The expiration time is included in HMAC calculation of
the saved password reset hash, but it is never evaluated if the
expiration time is exceeded.

This change adds the missing validity check for the expiration
time included in the password reset link.

Resolves: #97998
Releases: main, 11.5, 10.4
Change-Id: I8a1730faf6489e5c5eebb44ff4f82606785bd637
Security-Bulletin: TYPO3-CORE-SA-2022-008
Security-References: CVE-2022-36106
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75711
Tested-by: Oliver Hader <[email protected]>
Reviewed-by: Oliver Hader <[email protected]>

Author: derhansen

typo3/sysext/backend/Classes/Authentication/PasswordReset.php

@@ -278,6 +278,11 @@ public function isValidResetTokenFromRequest(ServerRequestInterface $request): b
      */
     protected function findValidUserForToken(string $token, string $identity, int $expirationTimestamp): ?array
     {
+        // Early return if token expired
+        if ($expirationTimestamp < time()) {
+            return null;
+        }
+
         $user = null;
         // Find the token in the database
         $queryBuilder = $this->getPreparedQueryBuilder();