[Feature] don't hash passwords with MD5 in DB #114
All newly set and resetted passwords will now be stored as blowfish hashed string generated via crypt(). Refs: #114
This commit is contained in:
parent
1e18094f8f
commit
c110f3fb28
@ -75,6 +75,10 @@ if (!$result) return false;
|
|||||||
$result = $database->query("ALTER TABLE `lychee_settings` CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci;");
|
$result = $database->query("ALTER TABLE `lychee_settings` CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci;");
|
||||||
if (!$result) return false;
|
if (!$result) return false;
|
||||||
|
|
||||||
|
# Set album password length to 100 (for longer hashes)
|
||||||
|
$result = $database->query("ALTER TABLE `lychee_albums` CHANGE `password` `password` VARCHAR(100);");
|
||||||
|
if (!$result) return false;
|
||||||
|
|
||||||
# Set version
|
# Set version
|
||||||
$result = $database->query("UPDATE lychee_settings SET value = '020500' WHERE `key` = 'version';");
|
$result = $database->query("UPDATE lychee_settings SET value = '020500' WHERE `key` = 'version';");
|
||||||
if (!$result) return false;
|
if (!$result) return false;
|
||||||
|
@ -442,8 +442,16 @@ class Album extends Module {
|
|||||||
# Call plugins
|
# Call plugins
|
||||||
$this->plugins(__METHOD__, 0, func_get_args());
|
$this->plugins(__METHOD__, 0, func_get_args());
|
||||||
|
|
||||||
# Execute query
|
if (isset($password)&&strlen($password)>0) {
|
||||||
|
# get hashed password
|
||||||
|
$password = get_hashed_password($password);
|
||||||
|
|
||||||
|
# set hashed password
|
||||||
$result = $this->database->query("UPDATE lychee_albums SET password = '$password' WHERE id IN ('$this->albumIDs');");
|
$result = $this->database->query("UPDATE lychee_albums SET password = '$password' WHERE id IN ('$this->albumIDs');");
|
||||||
|
} else {
|
||||||
|
# unset password
|
||||||
|
$result = $this->database->query("UPDATE lychee_albums SET password = NULL WHERE id IN ('$this->albumIDs');");
|
||||||
|
}
|
||||||
|
|
||||||
# Call plugins
|
# Call plugins
|
||||||
$this->plugins(__METHOD__, 1, func_get_args());
|
$this->plugins(__METHOD__, 1, func_get_args());
|
||||||
@ -469,7 +477,7 @@ class Album extends Module {
|
|||||||
$this->plugins(__METHOD__, 1, func_get_args());
|
$this->plugins(__METHOD__, 1, func_get_args());
|
||||||
|
|
||||||
if ($album->password=='') return true;
|
if ($album->password=='') return true;
|
||||||
else if ($album->password===$password) return true;
|
else if ($album->password===$password||$album->password===crypt($password, $album->password)) return true;
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -76,12 +76,18 @@ class Session extends Module {
|
|||||||
# Call plugins
|
# Call plugins
|
||||||
$this->plugins(__METHOD__, 0, func_get_args());
|
$this->plugins(__METHOD__, 0, func_get_args());
|
||||||
|
|
||||||
# Check login
|
# Check login with MD5 hash
|
||||||
if ($username===$this->settings['username']&&$password===$this->settings['password']) {
|
if ($username===$this->settings['username']&&$password===$this->settings['password']) {
|
||||||
$_SESSION['login'] = true;
|
$_SESSION['login'] = true;
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Check login with crypted hash
|
||||||
|
if ($username===$this->settings['username']&&$this->settings['password']===crypt($password, $this->settings['password'])) {
|
||||||
|
$_SESSION['login'] = true;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
# No login
|
# No login
|
||||||
if ($this->settings['username']===''&&$this->settings['password']==='') {
|
if ($this->settings['username']===''&&$this->settings['password']==='') {
|
||||||
$_SESSION['login'] = true;
|
$_SESSION['login'] = true;
|
||||||
|
@ -47,7 +47,7 @@ class Settings extends Module {
|
|||||||
# Load settings
|
# Load settings
|
||||||
$settings = $this->get();
|
$settings = $this->get();
|
||||||
|
|
||||||
if ($oldPassword==$settings['password']) {
|
if ($oldPassword===$settings['password']||$settings['password']===crypt($oldPassword, $settings['password'])) {
|
||||||
|
|
||||||
# Save username
|
# Save username
|
||||||
if (!$this->setUsername($username)) exit('Error: Updating username failed!');
|
if (!$this->setUsername($username)) exit('Error: Updating username failed!');
|
||||||
@ -85,7 +85,7 @@ class Settings extends Module {
|
|||||||
# Check dependencies
|
# Check dependencies
|
||||||
$this->dependencies(isset($this->database));
|
$this->dependencies(isset($this->database));
|
||||||
|
|
||||||
if (strlen($password)<1||strlen($password)>50) return false;
|
$password = get_hashed_password($password);
|
||||||
|
|
||||||
# Execute query
|
# Execute query
|
||||||
$result = $this->database->query("UPDATE lychee_settings SET value = '$password' WHERE `key` = 'password';");
|
$result = $this->database->query("UPDATE lychee_settings SET value = '$password' WHERE `key` = 'password';");
|
||||||
|
@ -80,4 +80,22 @@ function search($database, $settings, $term) {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function get_hashed_password($password) {
|
||||||
|
|
||||||
|
# inspired by -> http://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/
|
||||||
|
|
||||||
|
# A higher "cost" is more secure but consumes more processing power
|
||||||
|
$cost = 10;
|
||||||
|
|
||||||
|
# Create a random salt
|
||||||
|
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
|
||||||
|
|
||||||
|
# Prefix information about the hash so PHP knows how to verify it later.
|
||||||
|
# "$2a$" Means we're using the Blowfish algorithm. The following two digits are the cost parameter.
|
||||||
|
$salt = sprintf("$2a$%02d$", $cost) . $salt;
|
||||||
|
|
||||||
|
# Hash the password with the salt
|
||||||
|
return crypt($password, $salt);
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
Loading…
Reference in New Issue
Block a user