From 6fa46b3f322a3008f45afcdf21f65eb5bb6f6c19 Mon Sep 17 00:00:00 2001 From: Cameron Date: Thu, 16 Jun 2016 12:23:20 -0700 Subject: [PATCH] Fix for password upgrading. Password-encoding warning added to admin area dashboard. --- e107_admin/admin.php | 14 +++++++++++ e107_admin/prefs.php | 6 +++-- e107_handlers/user_handler.php | 46 ++++++++++++++++++++++++++-------- 3 files changed, 54 insertions(+), 12 deletions(-) diff --git a/e107_admin/admin.php b/e107_admin/admin.php index bcc849eb3..ecc47d0dd 100644 --- a/e107_admin/admin.php +++ b/e107_admin/admin.php @@ -97,6 +97,7 @@ class admin_start $this->checkFileTypes(); $this->checkSuspiciousFiles(); $this->checkDeprecated(); + $this->checkPasswordEncryption(); if($this->refresh == true) { @@ -205,7 +206,20 @@ class admin_start } + function checkPasswordEncryption() + { + $us = e107::getUserSession(); + $mes = e107::getMessage(); + if($us->passwordAPIExists() === true && $us->getDefaultHashType() !== PASSWORD_E107_PHP && e107::pref('core','password_CHAP')==0) + { + $message = "It is HIGHLY recommended that you [change your password encoding] to the PHP Default. (Password hashes will be automatically upgraded during user login.)"; + $srch = array('[',']'); + $repl = array("",""); + $mes->addWarning(str_replace($srch,$repl,$message)); + } + + } diff --git a/e107_admin/prefs.php b/e107_admin/prefs.php index 5092fc988..ca2301009 100644 --- a/e107_admin/prefs.php +++ b/e107_admin/prefs.php @@ -1381,7 +1381,7 @@ $text .= " - + "; $pwdEncodeOpts = array(); @@ -1389,17 +1389,19 @@ $text .= " if(function_exists('password_verify')) // ie. php 5.5 or higher { $pwdEncodeOpts[3] = "PHP Default (Preferred)"; + } $pwdEncodeOpts[1] = PRFLAN_190; $pwdEncodeOpts[0] = PRFLAN_189; + $text .= (isset($pwdEncodeOpts[3]) && $pref['passwordEncoding']!=3) ? "" : ""; $text .= $frm->select('passwordEncoding', $pwdEncodeOpts, varset($pref['passwordEncoding'], 0)); // $text .= $frm->radio_switch('passwordEncoding', varset($pref['passwordEncoding'], 0), PRFLAN_190, PRFLAN_189); $text .= " -
".PRFLAN_191."
+
"; diff --git a/e107_handlers/user_handler.php b/e107_handlers/user_handler.php index c595b8757..e366a86e6 100644 --- a/e107_handlers/user_handler.php +++ b/e107_handlers/user_handler.php @@ -159,6 +159,26 @@ class UserHandler } + /** + * Return the code for the current default password hash-type + * @return int + */ + public function getDefaultHashType() + { + return $this->preferred; + } + + + /** + * Returns true if PHP5.5+ password API is found, otherwise return false. + * @return bool + */ + public function passwordAPIExists() + { + return $this->passwordAPI; + } + + /** * Given plaintext password and login name, generate password string to store in DB * @@ -250,10 +270,10 @@ class UserHandler /** - * If necessary, rehash the user password to the currently set algorythm. + * If necessary, rehash the user password to the currently set algorythm and updated database. . * @param array $user - user fields. required: user_id, user_loginname, user_password * @param string $password - plain text password. - * @return bool|int + * @return bool|str returns new password hash on success or false. */ public function rehashPassword($user, $password) { @@ -265,10 +285,13 @@ class UserHandler } $sql = e107::getDb(); + + $newPasswordHash = $this->HashPassword($password, $user['user_loginname']); + $update = array( 'data' => array( - 'user_password' => $this->HashPassword($password, $user['user_loginname']), + 'user_password' => $newPasswordHash, ), 'WHERE' => "user_id = ".intval($user['user_id'])." LIMIT 1", @@ -276,10 +299,12 @@ class UserHandler ); + if($sql->update('user', $update)!==false) + { + return $newPasswordHash; + } - - - return $sql->update('user', $update); + return false; } @@ -366,12 +391,9 @@ class UserHandler return $rawPassword; } - else - { - return false; - } + return false; } @@ -652,6 +674,10 @@ class UserHandler $_COOKIE[e107::getPref('cookie_name')] = $cookieval; // make it available to the global scope before the page is reloaded } } + + + // echo "Debug: making cookie: ".$cookieval ." from ".print_a($lode,true); + // exit; }