Removed useless md5 hashing in front-end and added username hashing in back-end

php/database/update_030000.php

@@ -0,0 +1,37 @@
+<?php
+
+###
+# @name			Update to version 3.0.0
+# @copyright	2015 by Tobias Reich
+###
+
+if (!defined('LYCHEE')) exit('Error: Direct access is not allowed!');
+
+# Remove login
+# Login now saved as crypt without md5. Legacy code has been removed.
+$query			= Database::prepare($database, "UPDATE `?` SET `value` = '' WHERE `key` = 'username' LIMIT 1", array(LYCHEE_TABLE_SETTINGS));
+$resetUsername	= $database->query($query);
+if (!$resetUsername) {
+	Log::error($database, 'update_030000', __LINE__, 'Could not reset username (' . $database->error . ')');
+	return false;
+}
+$query			= Database::prepare($database, "UPDATE `?` SET `value` = '' WHERE `key` = 'password' LIMIT 1", array(LYCHEE_TABLE_SETTINGS));
+$resetPassword	= $database->query($query);
+if (!$resetPassword) {
+	Log::error($database, 'update_030000', __LINE__, 'Could not reset password (' . $database->error . ')');
+	return false;
+}
+
+# Make public albums private and reset password
+# Password now saved as crypt without md5. Legacy code has been removed.
+$query			= Database::prepare($database, "UPDATE `?` SET `public` = 0, `password` = NULL", array(LYCHEE_TABLE_ALBUMS));
+$resetPublic	= $database->query($query);
+if (!$resetPublic) {
+	Log::error($database, 'update_030000', __LINE__, 'Could not reset public albums (' . $database->error . ')');
+	return false;
+}
+
+# Set version
+if (Database::setVersion($database, '030000')===false) return false;
+
+?>

php/modules/Album.php

@@ -547,22 +547,23 @@ class Album extends Module {
 		if (strlen($password)>0) {
 
 			# Get hashed password
-			$password = get_hashed_password($password);
+			$password = getHashedString($password);
 
 			# Set hashed password
 			# Do not prepare $password because it is hashed and save
 			# Preparing (escaping) the password would destroy the hash
 			$query	= Database::prepare($this->database, "UPDATE ? SET password = '$password' WHERE id IN (?)", array(LYCHEE_TABLE_ALBUMS, $this->albumIDs));
-			$result	= $this->database->query($query);
 
 		} else {
 
 			# Unset password
 			$query	= Database::prepare($this->database, "UPDATE ? SET password = NULL WHERE id IN (?)", array(LYCHEE_TABLE_ALBUMS, $this->albumIDs));
-			$result	= $this->database->query($query);
 
 		}
 
+		# Execute query
+		$result	= $this->database->query($query);
+
 		# Call plugins
 		$this->plugins(__METHOD__, 1, func_get_args());
 
@@ -591,7 +592,7 @@ class Album extends Module {
 		$this->plugins(__METHOD__, 1, func_get_args());
 
 		if ($album->password=='') return true;
-		else if ($album->password===$password||$album->password===crypt($password, $album->password)) return true;
+		else if ($album->password===crypt($password, $album->password)) return true;
 		return false;
 
 	}

php/modules/Database.php

@@ -54,7 +54,8 @@ class Database extends Module {
 			'020505', #2.5.5
 			'020601', #2.6.1
 			'020602', #2.6.2
-			'020700' #2.7.0
+			'020700', #2.7.0
+			'030000' #3.0.0
 		);
 
 		# For each update

php/modules/Session.php

@@ -88,20 +88,18 @@ class Session extends Module {
 		# Call plugins
 		$this->plugins(__METHOD__, 0, func_get_args());
 
-		# Check login with MD5 hash
-		if ($username===$this->settings['username']&&$password===$this->settings['password']) {
-			$_SESSION['login'] = true;
-			return true;
-		}
+		$username = crypt($username, $this->settings['username']);
+		$password = crypt($password, $this->settings['password']);
 
 		# Check login with crypted hash
-		if ($username===$this->settings['username']&&$this->settings['password']===crypt($password, $this->settings['password'])) {
-			$_SESSION['login'] = true;
-			return true;
+		if ($this->settings['username']===$username&&
+			$this->settings['password']===$password) {
+				$_SESSION['login'] = true;
+				return true;
 		}
 
 		# No login
-		if ($this->settings['username']===''&&$this->settings['password']==='') {
+		if ($this->noLogin()===true) {
 			$_SESSION['login'] = true;
 			return true;
 		}
@@ -119,9 +117,10 @@ class Session extends Module {
 		self::dependencies(isset($this->settings));
 
 		# Check if login credentials exist and login if they don't
-		if ($this->settings['username']===''&&$this->settings['password']==='') {
-			$_SESSION['login'] = true;
-			return true;
+		if ($this->settings['username']===''&&
+			$this->settings['password']==='') {
+				$_SESSION['login'] = true;
+				return true;
 		}
 
 		return false;

php/modules/Settings.php

@@ -50,10 +50,10 @@ class Settings extends Module {
 		if ($oldPassword===$settings['password']||$settings['password']===crypt($oldPassword, $settings['password'])) {
 
 			# Save username
-			if (!$this->setUsername($username)) exit('Error: Updating username failed!');
+			if ($this->setUsername($username)!==true) exit('Error: Updating username failed!');
 
 			# Save password
-			if (!$this->setPassword($password)) exit('Error: Updating password failed!');
+			if ($this->setPassword($password)!==true) exit('Error: Updating password failed!');
 
 			return true;
 
@@ -68,15 +68,13 @@ class Settings extends Module {
 		# Check dependencies
 		self::dependencies(isset($this->database));
 
-		# Parse
-		$username = htmlentities($username);
-		if (strlen($username)>50) {
-			Log::notice($this->database, __METHOD__, __LINE__, 'Username is longer than 50 chars');
-			return false;
-		}
+		# Hash username
+		$username = getHashedString($username);
 
 		# Execute query
-		$query	= Database::prepare($this->database, "UPDATE ? SET value = '?' WHERE `key` = 'username'", array(LYCHEE_TABLE_SETTINGS, $username));
+		# Do not prepare $username because it is hashed and save
+		# Preparing (escaping) the username would destroy the hash
+		$query	= Database::prepare($this->database, "UPDATE ? SET value = '$username' WHERE `key` = 'username'", array(LYCHEE_TABLE_SETTINGS));
 		$result	= $this->database->query($query);
 
 		if (!$result) {
@@ -92,7 +90,8 @@ class Settings extends Module {
 		# Check dependencies
 		self::dependencies(isset($this->database));
 
-		$password = get_hashed_password($password);
+		# Hash password
+		$password = getHashedString($password);
 
 		# Execute query
 		# Do not prepare $password because it is hashed and save

php/modules/misc.php

@@ -97,7 +97,7 @@ function getExtension($filename) {
 
 }
 
-function get_hashed_password($password) {
+function getHashedString($password) {
 
 	# Inspired by http://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/
 

src/scripts/album.js

@@ -455,7 +455,7 @@ album.setPublic = function(albumID, e) {
 	if (basicModal.visible()) {
 
 		if ($('.basicModal .choice input[name="password"]:checked').length===1) {
-			password			= md5($('.basicModal .choice input[data-name="password"]').val());
+			password			= $('.basicModal .choice input[data-name="password"]').val();
 			album.json.password	= 1;
 		} else {
 			password			= '';

src/scripts/lychee.js

@@ -76,7 +76,7 @@ lychee.init = function() {
 lychee.login = function(data) {
 
 	var user		= data.username,
-		password	= md5(data.password),
+		password	= data.password,
 		params;
 
 	params = {

src/scripts/password.js

@@ -34,14 +34,14 @@ password.get = function(albumID, callback) {
 
 		params = {
 			albumID,
-			password: md5(passwd)
+			password: passwd
 		}
 
 		api.post('Album::getPublic', params, function(data) {
 
 			if (data===true) {
 				basicModal.close();
-				password.value = md5(passwd);
+				password.value = passwd;
 				callback();
 			} else {
 				basicModal.error('password');

src/scripts/settings.js

@@ -165,7 +165,7 @@ settings.createLogin = function() {
 
 		params = {
 			username,
-			password: md5(password)
+			password
 		}
 
 		api.post('Settings::setLogin', params, function(data) {
@@ -238,9 +238,9 @@ settings.setLogin = function() {
 		basicModal.close();
 
 		params = {
-			oldPassword: md5(oldPassword),
+			oldPassword,
 			username,
-			password: md5(password)
+			password
 		}
 
 		api.post('Settings::setLogin', params, function(data) {