From 3f4bfe253d642bd1b898e32ba0a931e6245b5d16 Mon Sep 17 00:00:00 2001 From: Tobias Reich Date: Sun, 8 Feb 2015 15:36:13 +0100 Subject: [PATCH] Removed useless md5 hashing in front-end and added username hashing in back-end --- dist/main.js | Bin 173949 -> 173914 bytes php/database/update_030000.php | 37 +++++++++++++++++++++++++++++++++ php/modules/Album.php | 9 ++++---- php/modules/Database.php | 3 ++- php/modules/Session.php | 23 ++++++++++---------- php/modules/Settings.php | 19 ++++++++--------- php/modules/misc.php | 2 +- src/scripts/album.js | 2 +- src/scripts/lychee.js | 2 +- src/scripts/password.js | 4 ++-- src/scripts/settings.js | 6 +++--- 11 files changed, 72 insertions(+), 35 deletions(-) create mode 100644 php/database/update_030000.php diff --git a/dist/main.js b/dist/main.js index a11c5e4421d59180e24512e2025afc98d5a9d02e..10ce618dba37417f4a02318894eb06ab96ee20cd 100644 GIT binary patch delta 111 zcmex+j_cMru7)j)bC*nCxP;Ma`<*3>Em>TtdIgEa#pU@$Dcke;nVRLM7tCQ4na-`p zrkH9>7g)+DJ6&c8qXcVNVvdI9_G?QRTeJ8%a`N0!d|RZhw`|RA3JPA`USH diff --git a/php/database/update_030000.php b/php/database/update_030000.php new file mode 100644 index 0000000..632277d --- /dev/null +++ b/php/database/update_030000.php @@ -0,0 +1,37 @@ +query($query); +if (!$resetUsername) { + Log::error($database, 'update_030000', __LINE__, 'Could not reset username (' . $database->error . ')'); + return false; +} +$query = Database::prepare($database, "UPDATE `?` SET `value` = '' WHERE `key` = 'password' LIMIT 1", array(LYCHEE_TABLE_SETTINGS)); +$resetPassword = $database->query($query); +if (!$resetPassword) { + Log::error($database, 'update_030000', __LINE__, 'Could not reset password (' . $database->error . ')'); + return false; +} + +# Make public albums private and reset password +# Password now saved as crypt without md5. Legacy code has been removed. +$query = Database::prepare($database, "UPDATE `?` SET `public` = 0, `password` = NULL", array(LYCHEE_TABLE_ALBUMS)); +$resetPublic = $database->query($query); +if (!$resetPublic) { + Log::error($database, 'update_030000', __LINE__, 'Could not reset public albums (' . $database->error . ')'); + return false; +} + +# Set version +if (Database::setVersion($database, '030000')===false) return false; + +?> \ No newline at end of file diff --git a/php/modules/Album.php b/php/modules/Album.php index 51b5e20..a45d398 100644 --- a/php/modules/Album.php +++ b/php/modules/Album.php @@ -547,22 +547,23 @@ class Album extends Module { if (strlen($password)>0) { # Get hashed password - $password = get_hashed_password($password); + $password = getHashedString($password); # Set hashed password # Do not prepare $password because it is hashed and save # Preparing (escaping) the password would destroy the hash $query = Database::prepare($this->database, "UPDATE ? SET password = '$password' WHERE id IN (?)", array(LYCHEE_TABLE_ALBUMS, $this->albumIDs)); - $result = $this->database->query($query); } else { # Unset password $query = Database::prepare($this->database, "UPDATE ? SET password = NULL WHERE id IN (?)", array(LYCHEE_TABLE_ALBUMS, $this->albumIDs)); - $result = $this->database->query($query); } + # Execute query + $result = $this->database->query($query); + # Call plugins $this->plugins(__METHOD__, 1, func_get_args()); @@ -591,7 +592,7 @@ class Album extends Module { $this->plugins(__METHOD__, 1, func_get_args()); if ($album->password=='') return true; - else if ($album->password===$password||$album->password===crypt($password, $album->password)) return true; + else if ($album->password===crypt($password, $album->password)) return true; return false; } diff --git a/php/modules/Database.php b/php/modules/Database.php index 4b76216..317a395 100755 --- a/php/modules/Database.php +++ b/php/modules/Database.php @@ -54,7 +54,8 @@ class Database extends Module { '020505', #2.5.5 '020601', #2.6.1 '020602', #2.6.2 - '020700' #2.7.0 + '020700', #2.7.0 + '030000' #3.0.0 ); # For each update diff --git a/php/modules/Session.php b/php/modules/Session.php index 10da0ba..74381c5 100755 --- a/php/modules/Session.php +++ b/php/modules/Session.php @@ -88,20 +88,18 @@ class Session extends Module { # Call plugins $this->plugins(__METHOD__, 0, func_get_args()); - # Check login with MD5 hash - if ($username===$this->settings['username']&&$password===$this->settings['password']) { - $_SESSION['login'] = true; - return true; - } + $username = crypt($username, $this->settings['username']); + $password = crypt($password, $this->settings['password']); # Check login with crypted hash - if ($username===$this->settings['username']&&$this->settings['password']===crypt($password, $this->settings['password'])) { - $_SESSION['login'] = true; - return true; + if ($this->settings['username']===$username&& + $this->settings['password']===$password) { + $_SESSION['login'] = true; + return true; } # No login - if ($this->settings['username']===''&&$this->settings['password']==='') { + if ($this->noLogin()===true) { $_SESSION['login'] = true; return true; } @@ -119,9 +117,10 @@ class Session extends Module { self::dependencies(isset($this->settings)); # Check if login credentials exist and login if they don't - if ($this->settings['username']===''&&$this->settings['password']==='') { - $_SESSION['login'] = true; - return true; + if ($this->settings['username']===''&& + $this->settings['password']==='') { + $_SESSION['login'] = true; + return true; } return false; diff --git a/php/modules/Settings.php b/php/modules/Settings.php index 2ea74ef..e53a5a4 100755 --- a/php/modules/Settings.php +++ b/php/modules/Settings.php @@ -50,10 +50,10 @@ class Settings extends Module { if ($oldPassword===$settings['password']||$settings['password']===crypt($oldPassword, $settings['password'])) { # Save username - if (!$this->setUsername($username)) exit('Error: Updating username failed!'); + if ($this->setUsername($username)!==true) exit('Error: Updating username failed!'); # Save password - if (!$this->setPassword($password)) exit('Error: Updating password failed!'); + if ($this->setPassword($password)!==true) exit('Error: Updating password failed!'); return true; @@ -68,15 +68,13 @@ class Settings extends Module { # Check dependencies self::dependencies(isset($this->database)); - # Parse - $username = htmlentities($username); - if (strlen($username)>50) { - Log::notice($this->database, __METHOD__, __LINE__, 'Username is longer than 50 chars'); - return false; - } + # Hash username + $username = getHashedString($username); # Execute query - $query = Database::prepare($this->database, "UPDATE ? SET value = '?' WHERE `key` = 'username'", array(LYCHEE_TABLE_SETTINGS, $username)); + # Do not prepare $username because it is hashed and save + # Preparing (escaping) the username would destroy the hash + $query = Database::prepare($this->database, "UPDATE ? SET value = '$username' WHERE `key` = 'username'", array(LYCHEE_TABLE_SETTINGS)); $result = $this->database->query($query); if (!$result) { @@ -92,7 +90,8 @@ class Settings extends Module { # Check dependencies self::dependencies(isset($this->database)); - $password = get_hashed_password($password); + # Hash password + $password = getHashedString($password); # Execute query # Do not prepare $password because it is hashed and save diff --git a/php/modules/misc.php b/php/modules/misc.php index 7c52c80..c449e4a 100755 --- a/php/modules/misc.php +++ b/php/modules/misc.php @@ -97,7 +97,7 @@ function getExtension($filename) { } -function get_hashed_password($password) { +function getHashedString($password) { # Inspired by http://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/ diff --git a/src/scripts/album.js b/src/scripts/album.js index 0ed96df..61c52b9 100644 --- a/src/scripts/album.js +++ b/src/scripts/album.js @@ -455,7 +455,7 @@ album.setPublic = function(albumID, e) { if (basicModal.visible()) { if ($('.basicModal .choice input[name="password"]:checked').length===1) { - password = md5($('.basicModal .choice input[data-name="password"]').val()); + password = $('.basicModal .choice input[data-name="password"]').val(); album.json.password = 1; } else { password = ''; diff --git a/src/scripts/lychee.js b/src/scripts/lychee.js index d3b3f26..af2d130 100644 --- a/src/scripts/lychee.js +++ b/src/scripts/lychee.js @@ -76,7 +76,7 @@ lychee.init = function() { lychee.login = function(data) { var user = data.username, - password = md5(data.password), + password = data.password, params; params = { diff --git a/src/scripts/password.js b/src/scripts/password.js index b9bf811..10440c6 100644 --- a/src/scripts/password.js +++ b/src/scripts/password.js @@ -34,14 +34,14 @@ password.get = function(albumID, callback) { params = { albumID, - password: md5(passwd) + password: passwd } api.post('Album::getPublic', params, function(data) { if (data===true) { basicModal.close(); - password.value = md5(passwd); + password.value = passwd; callback(); } else { basicModal.error('password'); diff --git a/src/scripts/settings.js b/src/scripts/settings.js index abfc501..f732b70 100644 --- a/src/scripts/settings.js +++ b/src/scripts/settings.js @@ -165,7 +165,7 @@ settings.createLogin = function() { params = { username, - password: md5(password) + password } api.post('Settings::setLogin', params, function(data) { @@ -238,9 +238,9 @@ settings.setLogin = function() { basicModal.close(); params = { - oldPassword: md5(oldPassword), + oldPassword, username, - password: md5(password) + password } api.post('Settings::setLogin', params, function(data) {