mirror of
https://github.com/phpbb/phpbb.git
synced 2025-05-03 14:17:56 +02:00
#i42
new password hashing mechanism for storing passwords git-svn-id: file:///svn/phpbb/trunk@8139 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen
parent
c208556578
commit
760fe6bc66
@ -184,7 +184,10 @@ require($phpbb_root_path . 'includes/cache.' . $phpEx);
|
||||
require($phpbb_root_path . 'includes/template.' . $phpEx);
|
||||
require($phpbb_root_path . 'includes/session.' . $phpEx);
|
||||
require($phpbb_root_path . 'includes/auth.' . $phpEx);
|
||||
|
||||
require($phpbb_root_path . 'includes/functions.' . $phpEx);
|
||||
require($phpbb_root_path . 'includes/functions_content.' . $phpEx);
|
||||
|
||||
require($phpbb_root_path . 'includes/constants.' . $phpEx);
|
||||
require($phpbb_root_path . 'includes/db/' . $dbms . '.' . $phpEx);
|
||||
require($phpbb_root_path . 'includes/utf/utf_tools.' . $phpEx);
|
||||
|
||||
@ -694,7 +694,7 @@ class acp_users
|
||||
|
||||
// Which updates do we need to do?
|
||||
$update_username = ($user_row['username'] != $data['username']) ? $data['username'] : false;
|
||||
$update_password = ($data['new_password'] && $user_row['user_password'] != md5($data['new_password'])) ? true : false;
|
||||
$update_password = ($data['new_password'] && !phpbb_check_hash($user_row['user_password'], $data['new_password'])) ? true : false;
|
||||
$update_email = ($data['email'] != $user_row['user_email']) ? $data['email'] : false;
|
||||
|
||||
if (!sizeof($error))
|
||||
@ -766,7 +766,7 @@ class acp_users
|
||||
if ($update_password)
|
||||
{
|
||||
$sql_ary += array(
|
||||
'user_password' => md5($data['new_password']),
|
||||
'user_password' => phpbb_hash($data['new_password']),
|
||||
'user_passchg' => time(),
|
||||
);
|
||||
|
||||
|
||||
@ -194,7 +194,7 @@ function user_row_apache($username, $password)
|
||||
// generate user account data
|
||||
return array(
|
||||
'username' => $username,
|
||||
'user_password' => md5($password),
|
||||
'user_password' => phpbb_hash($password),
|
||||
'user_email' => '',
|
||||
'group_id' => (int) $row['group_id'],
|
||||
'user_type' => USER_NORMAL,
|
||||
|
||||
@ -125,15 +125,17 @@ function login_db(&$username, &$password)
|
||||
// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
|
||||
if (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])
|
||||
{
|
||||
$hash = phpbb_hash($password_new_format);
|
||||
|
||||
// Update the password in the users table to the new format and remove user_pass_convert flag
|
||||
$sql = 'UPDATE ' . USERS_TABLE . '
|
||||
SET user_password = \'' . $db->sql_escape(md5($password_new_format)) . '\',
|
||||
SET user_password = \'' . $db->sql_escape($hash) . '\',
|
||||
user_pass_convert = 0
|
||||
WHERE user_id = ' . $row['user_id'];
|
||||
$db->sql_query($sql);
|
||||
|
||||
$row['user_pass_convert'] = 0;
|
||||
$row['user_password'] = md5($password_new_format);
|
||||
$row['user_password'] = $hash;
|
||||
}
|
||||
else
|
||||
{
|
||||
@ -154,8 +156,23 @@ function login_db(&$username, &$password)
|
||||
}
|
||||
|
||||
// Check password ...
|
||||
if (!$row['user_pass_convert'] && md5($password) == $row['user_password'])
|
||||
if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
|
||||
{
|
||||
// Check for old password hash...
|
||||
if (strlen($row['user_password']) == 32)
|
||||
{
|
||||
$hash = phpbb_hash($password);
|
||||
|
||||
// Update the password in the users table to the new format
|
||||
$sql = 'UPDATE ' . USERS_TABLE . "
|
||||
SET user_password = '" . $db->sql_escape($hash) . "',
|
||||
user_pass_convert = 0
|
||||
WHERE user_id = {$row['user_id']}";
|
||||
$db->sql_query($sql);
|
||||
|
||||
$row['user_password'] = $hash;
|
||||
}
|
||||
|
||||
if ($row['user_login_attempts'] != 0)
|
||||
{
|
||||
// Successful, reset login attempts (the user passed all stages)
|
||||
|
||||
@ -204,7 +204,7 @@ function login_ldap(&$username, &$password)
|
||||
// generate user account data
|
||||
$ldap_user_row = array(
|
||||
'username' => $username,
|
||||
'user_password' => md5($password),
|
||||
'user_password' => phpbb_hash($password),
|
||||
'user_email' => (!empty($config['ldap_email'])) ? $ldap_result[0][$config['ldap_email']][0] : '',
|
||||
'group_id' => (int) $row['group_id'],
|
||||
'user_type' => USER_NORMAL,
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
1267
phpBB/includes/functions_content.php
Normal file
1267
phpBB/includes/functions_content.php
Normal file
File diff suppressed because it is too large
Load Diff
@ -75,13 +75,13 @@ class ucp_profile
|
||||
$error[] = 'NEW_PASSWORD_ERROR';
|
||||
}
|
||||
|
||||
if (($data['new_password'] || ($auth->acl_get('u_chgemail') && $data['email'] != $user->data['user_email']) || ($data['username'] != $user->data['username'] && $auth->acl_get('u_chgname') && $config['allow_namechange'])) && md5($data['cur_password']) != $user->data['user_password'])
|
||||
if (($data['new_password'] || ($auth->acl_get('u_chgemail') && $data['email'] != $user->data['user_email']) || ($data['username'] != $user->data['username'] && $auth->acl_get('u_chgname') && $config['allow_namechange'])) && !phpbb_check_hash($data['cur_password'], $user->data['user_password']))
|
||||
{
|
||||
$error[] = 'CUR_PASSWORD_ERROR';
|
||||
}
|
||||
|
||||
// Only check the new password against the previous password if there have been no errors
|
||||
if (!sizeof($error) && $auth->acl_get('u_chgpasswd') && $data['new_password'] && md5($data['new_password']) == $user->data['user_password'])
|
||||
if (!sizeof($error) && $auth->acl_get('u_chgpasswd') && $data['new_password'] && phpbb_check_hash($data['new_password'], $user->data['user_password']))
|
||||
{
|
||||
$error[] = 'SAME_PASSWORD_ERROR';
|
||||
}
|
||||
@ -103,7 +103,7 @@ class ucp_profile
|
||||
'username_clean' => ($auth->acl_get('u_chgname') && $config['allow_namechange']) ? utf8_clean_string($data['username']) : $user->data['username_clean'],
|
||||
'user_email' => ($auth->acl_get('u_chgemail')) ? $data['email'] : $user->data['user_email'],
|
||||
'user_email_hash' => ($auth->acl_get('u_chgemail')) ? crc32($data['email']) . strlen($data['email']) : $user->data['user_email_hash'],
|
||||
'user_password' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? md5($data['new_password']) : $user->data['user_password'],
|
||||
'user_password' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? phpbb_hash($data['new_password']) : $user->data['user_password'],
|
||||
'user_passchg' => ($auth->acl_get('u_chgpasswd') && $data['new_password']) ? time() : 0,
|
||||
);
|
||||
|
||||
@ -112,7 +112,7 @@ class ucp_profile
|
||||
add_log('user', $user->data['user_id'], 'LOG_USER_UPDATE_NAME', $user->data['username'], $data['username']);
|
||||
}
|
||||
|
||||
if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && md5($data['new_password']) != $user->data['user_password'])
|
||||
if ($auth->acl_get('u_chgpasswd') && $data['new_password'] && !phpbb_check_hash($data['new_password'], $user->data['user_password']))
|
||||
{
|
||||
$user->reset_login_keys();
|
||||
add_log('user', $user->data['user_id'], 'LOG_USER_NEW_PASSWORD', $data['username']);
|
||||
|
||||
@ -300,7 +300,7 @@ class ucp_register
|
||||
|
||||
$user_row = array(
|
||||
'username' => $data['username'],
|
||||
'user_password' => md5($data['new_password']),
|
||||
'user_password' => phpbb_hash($data['new_password']),
|
||||
'user_email' => $data['email'],
|
||||
'group_id' => (int) $group_id,
|
||||
'user_timezone' => (float) $data['tz'],
|
||||
|
||||
@ -67,7 +67,7 @@ class ucp_remind
|
||||
$user_password = gen_rand_string(8);
|
||||
|
||||
$sql = 'UPDATE ' . USERS_TABLE . "
|
||||
SET user_newpasswd = '" . $db->sql_escape(md5($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "'
|
||||
SET user_newpasswd = '" . $db->sql_escape(phpbb_hash($user_password)) . "', user_actkey = '" . $db->sql_escape($user_actkey) . "'
|
||||
WHERE user_id = " . $user_row['user_id'];
|
||||
$db->sql_query($sql);
|
||||
|
||||
|
||||
@ -55,7 +55,14 @@ require($phpbb_root_path . 'includes/cache.' . $phpEx);
|
||||
require($phpbb_root_path . 'includes/template.' . $phpEx);
|
||||
require($phpbb_root_path . 'includes/session.' . $phpEx);
|
||||
require($phpbb_root_path . 'includes/auth.' . $phpEx);
|
||||
|
||||
require($phpbb_root_path . 'includes/functions.' . $phpEx);
|
||||
|
||||
if (file_exists($phpbb_root_path . 'includes/functions_content.' . $phpEx))
|
||||
{
|
||||
require($phpbb_root_path . 'includes/functions_content.' . $phpEx);
|
||||
}
|
||||
|
||||
require($phpbb_root_path . 'includes/functions_admin.' . $phpEx);
|
||||
require($phpbb_root_path . 'includes/constants.' . $phpEx);
|
||||
require($phpbb_root_path . 'includes/db/' . $dbms . '.' . $phpEx);
|
||||
|
||||
@ -149,6 +149,12 @@ else
|
||||
|
||||
// Include essential scripts
|
||||
require($phpbb_root_path . 'includes/functions.' . $phpEx);
|
||||
|
||||
if (file_exists($phpbb_root_path . 'includes/functions_content.' . $phpEx))
|
||||
{
|
||||
require($phpbb_root_path . 'includes/functions_content.' . $phpEx);
|
||||
}
|
||||
|
||||
include($phpbb_root_path . 'includes/auth.' . $phpEx);
|
||||
include($phpbb_root_path . 'includes/session.' . $phpEx);
|
||||
include($phpbb_root_path . 'includes/template.' . $phpEx);
|
||||
|
||||
@ -1309,7 +1309,7 @@ class install_install extends module
|
||||
WHERE config_name = 'avatar_salt'",
|
||||
|
||||
'UPDATE ' . $data['table_prefix'] . "users
|
||||
SET username = '" . $db->sql_escape($data['admin_name']) . "', user_password='" . $db->sql_escape(md5($data['admin_pass1'])) . "', user_ip = '" . $db->sql_escape($user_ip) . "', user_lang = '" . $db->sql_escape($data['default_lang']) . "', user_email='" . $db->sql_escape($data['board_email1']) . "', user_dateformat='" . $db->sql_escape($lang['default_dateformat']) . "', user_email_hash = " . (crc32($data['board_email1']) . strlen($data['board_email1'])) . ", username_clean = '" . $db->sql_escape(utf8_clean_string($data['admin_name'])) . "'
|
||||
SET username = '" . $db->sql_escape($data['admin_name']) . "', user_password='" . $db->sql_escape(phpbb_hash($data['admin_pass1'])) . "', user_ip = '" . $db->sql_escape($user_ip) . "', user_lang = '" . $db->sql_escape($data['default_lang']) . "', user_email='" . $db->sql_escape($data['board_email1']) . "', user_dateformat='" . $db->sql_escape($lang['default_dateformat']) . "', user_email_hash = " . (crc32($data['board_email1']) . strlen($data['board_email1'])) . ", username_clean = '" . $db->sql_escape(utf8_clean_string($data['admin_name'])) . "'
|
||||
WHERE username = 'Admin'",
|
||||
|
||||
'UPDATE ' . $data['table_prefix'] . "moderator_cache
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user