Changeset 3036:7ed4286c8013

Timestamp:

07/03/15 17:03:26 (10 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Message:

Centralizes crypt function of pwd in class.Dotclear.auth.php, closes #1923

Files:

• admin/auth.php (modified) (1 diff)
• admin/blog_del.php (modified) (1 diff)
• admin/install/index.php (modified) (1 diff)
• admin/langs.php (modified) (2 diffs)
• admin/preferences.php (modified) (1 diff)
• admin/user.php (modified) (1 diff)
• admin/users_actions.php (modified) (1 diff)
• inc/admin/lib.moduleslist.php (modified) (2 diffs)
• inc/core/class.dc.auth.php (modified) (5 diffs)
• inc/core/class.dc.core.php (modified) (3 diffs)
• plugins/antispam/inc/lib.dc.antispam.php (modified) (2 diffs)
• plugins/importExport/inc/class.dc.import.flat.php (modified) (1 diff)

admin/auth.php

@@ -204 +204 @@
 
      $cookie_admin = http::browserUID(DC_MASTER_KEY.$user_id.
-          crypt::hmac(DC_MASTER_KEY,$user_pwd)).bin2hex(pack('a32',$user_id));
+          $core->auth->crypt($user_pwd)).bin2hex(pack('a32',$user_id));
 
      if ($check_perms && $core->auth->mustChangePassword())

admin/blog_del.php

@@ -37 +37 @@
 if (!$core->error->flag() && $blog_id && !empty($_POST['del']))
 {
-     if (!$core->auth->checkPassword(crypt::hmac(DC_MASTER_KEY,$_POST['pwd']))) {
+     if (!$core->auth->checkPassword($core->auth->crypt($_POST['pwd']))) {
           $core->error->add(__('Password verification failed'));
      } else {

admin/install/index.php

@@ -119 +119 @@
           $cur->user_id = $u_login;
           $cur->user_super = 1;
-          $cur->user_pwd = crypt::hmac(DC_MASTER_KEY,$u_pwd);
+          $cur->user_pwd = $core->auth->crypt($u_pwd);
           $cur->user_name = (string) $u_name;
           $cur->user_firstname = (string) $u_firstname;

admin/langs.php

@@ -63 +63 @@
      try
      {
-          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword(crypt::hmac(DC_MASTER_KEY,$_POST['your_pwd']))) {
+          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($core->auth->crypt($_POST['your_pwd']))) {
                throw new Exception(__('Password verification failed'));
           }
@@ -106 +106 @@
      try
      {
-          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword(crypt::hmac(DC_MASTER_KEY,$_POST['your_pwd']))) {
+          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($core->auth->crypt($_POST['your_pwd']))) {
                throw new Exception(__('Password verification failed'));
           }

admin/preferences.php

@@ -102 +102 @@
      try
      {
-          $pwd_check = !empty($_POST['cur_pwd']) && $core->auth->checkPassword(crypt::hmac(DC_MASTER_KEY,$_POST['cur_pwd']));
+          $pwd_check = !empty($_POST['cur_pwd']) && $core->auth->checkPassword($core->auth->crypt($_POST['cur_pwd']));
 
           if ($core->auth->allowPassChange() && !$pwd_check && $user_email != $_POST['user_email']) {

admin/user.php

@@ -72 +72 @@
      try
      {
-          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword(crypt::hmac(DC_MASTER_KEY,$_POST['your_pwd']))) {
+          if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($core->auth->crypt($_POST['your_pwd']))) {
                throw new Exception(__('Password verification failed'));
           }

admin/users_actions.php

@@ -97 +97 @@
           try
           {
-               if (empty($_POST['your_pwd']) || !$core->auth->checkPassword(crypt::hmac(DC_MASTER_KEY,$_POST['your_pwd']))) {
+               if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($core->auth->crypt($_POST['your_pwd']))) {
                     throw new Exception(__('Password verification failed'));
                }

inc/admin/lib.moduleslist.php

@@ -1172 +1172 @@
                || !empty($_POST['fetch_pkg']) && !empty($_POST['pkg_url']))
           {
-               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword(crypt::hmac(DC_MASTER_KEY, $_POST['your_pwd']))) {
+               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($this->core->auth->crypt($_POST['your_pwd']))) {
                     throw new Exception(__('Password verification failed'));
                }
@@ -1947 +1947 @@
                || !empty($_POST['fetch_pkg']) && !empty($_POST['pkg_url']))
           {
-               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword(crypt::hmac(DC_MASTER_KEY, $_POST['your_pwd']))) {
+               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($this->core->auth->crypt($_POST['your_pwd']))) {
                     throw new Exception(__('Password verification failed'));
                }

inc/core/class.dc.auth.php

@@ -121 +121 @@
           if ($pwd != '')
           {
-               if (crypt::hmac(DC_MASTER_KEY,$pwd) != $rs->user_pwd) {
+               if ($this->crypt($pwd) != $rs->user_pwd) {
                     sleep(rand(2,5));
                     return false;
@@ -165 +165 @@
 
      /**
+      * This method crypt given string (password, session_id, …).
+      *
+      * @param string $pwd string to be crypted
+      * @return string crypted value
+      */
+     public function crypt($pwd)
+     {
+          return crypt::hmac(DC_MASTER_KEY,$pwd);
+     }
+
+     /**
      * This method only check current user password.
      *
@@ -290 +301 @@
           $code =
           pack('a32',$this->userID()).
-          pack('H*',crypt::hmac(DC_MASTER_KEY,$this->getInfo('user_pwd')));
+          pack('H*',$this->crypt($this->getInfo('user_pwd')));
           return bin2hex($code);
      }
@@ -317 +328 @@
           }
 
-          if (crypt::hmac(DC_MASTER_KEY,$rs->user_pwd) != $pwd) {
+          if ($this->crypt($rs->user_pwd) != $pwd) {
                return false;
           }
@@ -594 +605 @@
 
           $cur = $this->con->openCursor($this->user_table);
-          $cur->user_pwd = crypt::hmac(DC_MASTER_KEY,$new_pass);
+          $cur->user_pwd = $this->crypt($new_pass);
           $cur->user_recover_key = null;
 

inc/core/class.dc.core.php

@@ -186 +186 @@
      public function getNonce()
      {
-          return crypt::hmac(DC_MASTER_KEY,session_id());
+          return $this->auth->crypt(session_id());
      }
 
@@ -195 +195 @@
           }
 
-          return $secret == crypt::hmac(DC_MASTER_KEY,session_id());
+          return $secret == $this->auth->crypt(session_id());
      }
 
@@ -847 +847 @@
                     throw new Exception(__('Password must contain at least 6 characters.'));
                }
-               $cur->user_pwd = crypt::hmac(DC_MASTER_KEY,$cur->user_pwd);
+               $cur->user_pwd = $this->auth->crypt($cur->user_pwd);
           }
 

plugins/antispam/inc/lib.dc.antispam.php

@@ -134 +134 @@
           $code =
           pack('a32',$core->auth->userID()).
-          pack('H*',crypt::hmac(DC_MASTER_KEY,$core->auth->getInfo('user_pwd')));
+          pack('H*',$core->auth->crypt($core->auth->getInfo('user_pwd')));
           return bin2hex($code);
      }
@@ -161 +161 @@
           }
 
-          if (crypt::hmac(DC_MASTER_KEY,$rs->user_pwd) != $pwd) {
+          if ($core->auth->crypt($rs->user_pwd) != $pwd) {
                return false;
           }

plugins/importExport/inc/class.dc.import.flat.php

@@ -90 +90 @@
           if ($full_upl !== null && $this->core->auth->isSuperAdmin())
           {
-               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword(crypt::hmac(DC_MASTER_KEY,$_POST['your_pwd']))) {
+               if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($this->core->auth->crypt($_POST['your_pwd']))) {
                     throw new Exception(__('Password verification failed'));
                }