mirror of
https://github.com/phpbb/phpbb.git
synced 2025-07-30 21:40:43 +02:00
- fix htmlspecialchars handling in search (search backends get specialchared input, and should return specialchared output), current backends strip entities anyway [includes Bug #8156]
- allow cancelling search index creation/removal - custom CSS class name input too short [Bug #8328] - give an error message if a password wasn't convertable (special characters in non-standard encoding) - moved still_on_time to functions.php, used by acp_search and converter, might be useful for MODs (or complex cron scripts) - do not allow empty passwords on login - add sids to local URLs in posts (this was a really terrible bug to fix ;-)) [Bug #7892] - ignore invalid HTTP_X_FORWARDED_FOR headers (just use REMOTE_ADDR if invalid) [Bug #8314] - changed forum listing code on search page and acp_attachments [Bug #6658] - search indexing uses still_on_time(), smaller batch size (1000) and meta_refresh() instead of redirect(), this should solve a few problems [Bugs #8034, #8270] - made password requirement language strings clearer - ALPHA is not meant to be alphanumric [Bug #7764] - display bug in firefox on linux making the pagination wrap on search results page (caused by ) git-svn-id: file:///svn/phpbb/trunk@7076 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Nils Adermann
@@ -103,19 +103,44 @@ function login_db(&$username, &$password)
|
||||
$password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
|
||||
$password_new_format = '';
|
||||
|
||||
set_var($password_new_format, $password_old_format, 'string');
|
||||
set_var($password_new_format, stripslashes($password_old_format), 'string');
|
||||
|
||||
if ($password == $password_new_format && md5($password_old_format) == $row['user_password'])
|
||||
if ($password == $password_new_format)
|
||||
{
|
||||
// Update the password in the users table to the new format and remove user_pass_convert flag
|
||||
$sql = 'UPDATE ' . USERS_TABLE . '
|
||||
SET user_password = \'' . $db->sql_escape(md5($password_new_format)) . '\',
|
||||
user_pass_convert = 0
|
||||
WHERE user_id = ' . $row['user_id'];
|
||||
$db->sql_query($sql);
|
||||
if (!function_exists('utf8_to_cp1252'))
|
||||
{
|
||||
global $phpbb_root_path, $phpEx;
|
||||
include($phpbb_root_path . 'includes/utf/data/recode_basic.' . $phpEx);
|
||||
}
|
||||
|
||||
$row['user_pass_convert'] = 0;
|
||||
$row['user_password'] = md5($password_new_format);
|
||||
// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
|
||||
if (md5($password_old_format) == $row['user_password'] || utf8_to_cp1252(md5($password_old_format)) == $row['user_password'])
|
||||
{
|
||||
// Update the password in the users table to the new format and remove user_pass_convert flag
|
||||
$sql = 'UPDATE ' . USERS_TABLE . '
|
||||
SET user_password = \'' . $db->sql_escape(md5($password_new_format)) . '\',
|
||||
user_pass_convert = 0
|
||||
WHERE user_id = ' . $row['user_id'];
|
||||
$db->sql_query($sql);
|
||||
|
||||
$row['user_pass_convert'] = 0;
|
||||
$row['user_password'] = md5($password_new_format);
|
||||
}
|
||||
else if (preg_match('/[\x80-\xFF]/', $password_old_format))
|
||||
{
|
||||
// Although we weren't able to convert this password we have to
|
||||
// increase login attempt count to make sure this cannot be exploited
|
||||
$sql = 'UPDATE ' . USERS_TABLE . '
|
||||
SET user_login_attempts = user_login_attempts + 1
|
||||
WHERE user_id = ' . $row['user_id'];
|
||||
$db->sql_query($sql);
|
||||
|
||||
return array(
|
||||
'status' => LOGIN_ERROR_PASSWORD_CONVERT,
|
||||
'error_msg' => 'LOGIN_ERROR_PASSWORD_CONVERT',
|
||||
'user_row' => $row,
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user