Dotclear


Ignore:
Timestamp:
03/25/16 12:43:18 (9 years ago)
Author:
franck <carnet.franck.paul@…>
Branch:
default
Message:

Allow different cryptographic algorithm for user password, choosen algo must provide result longer or equal than 40 characters (as default sha1), closes #1922

The constant DC_CRYPT_ALGO should be defined in config.php, and users will have to use recovery password procedure to set a new one according to the choosen algorithm.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • inc/prepend.php

    r3195 r3231  
    191191} 
    192192 
     193if (!defined('DC_CRYPT_ALGO')) { 
     194     define('DC_CRYPT_ALGO','sha1');    // As in Dotclear 2.9 and previous 
     195} else { 
     196     // Check length of cryptographic algorithm result and exit if less than 40 characters long 
     197     if (strlen(crypt::hmac(DC_MASTER_KEY,DC_VENDOR_NAME,DC_CRYPT_ALGO)) < 40) { 
     198          if (!defined('DC_CONTEXT_ADMIN')) { 
     199               exit('Site temporarily unavailable'); 
     200          } else { 
     201               exit(DC_CRYPT_ALGO.' cryptographic algorithm configured is not strong enough, please change it.'); 
     202          } 
     203     } 
     204} 
     205 
    193206l10n::init(); 
    194207 
Note: See TracChangeset for help on using the changeset viewer.

Sites map