Changeset 3627:9bccfc2257ad
- Timestamp:
- 12/19/17 17:27:59 (6 years ago)
- Branch:
- default
- Files:
-
- 14 edited
Legend:
- Unmodified
- Added
- Removed
-
admin/auth.php
r3421 r3627 209 209 210 210 $cookie_admin = http::browserUID(DC_MASTER_KEY.$user_id. 211 $core->auth->crypt ($user_pwd)).bin2hex(pack('a32',$user_id));211 $core->auth->cryptLegacy($user_id)).bin2hex(pack('a32',$user_id)); 212 212 213 213 if ($check_perms && $core->auth->mustChangePassword()) -
admin/blog_del.php
r3036 r3627 37 37 if (!$core->error->flag() && $blog_id && !empty($_POST['del'])) 38 38 { 39 if (!$core->auth->checkPassword($ core->auth->crypt($_POST['pwd']))) {39 if (!$core->auth->checkPassword($_POST['pwd'])) { 40 40 $core->error->add(__('Password verification failed')); 41 41 } else { -
admin/langs.php
r3491 r3627 93 93 try 94 94 { 95 if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($ core->auth->crypt($_POST['your_pwd']))) {95 if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($_POST['your_pwd'])) { 96 96 throw new Exception(__('Password verification failed')); 97 97 } … … 136 136 try 137 137 { 138 if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($ core->auth->crypt($_POST['your_pwd']))) {138 if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($_POST['your_pwd'])) { 139 139 throw new Exception(__('Password verification failed')); 140 140 } -
admin/post.php
r3606 r3627 698 698 $preview_url = 699 699 $core->blog->url.$core->url->getURLFor('preview',$core->auth->userID().'/'. 700 http::browserUID(DC_MASTER_KEY.$core->auth->userID().$core->auth-> getInfo('user_pwd')).700 http::browserUID(DC_MASTER_KEY.$core->auth->userID().$core->auth->cryptLegacy($core->auth->userID())). 701 701 '/'.$post->post_url); 702 702 echo '<a id="post-preview" href="'.$preview_url.'" class="button modal" accesskey="p">'.__('Preview').' (p)'.'</a>'; -
admin/preferences.php
r3566 r3627 161 161 try 162 162 { 163 $pwd_check = !empty($_POST['cur_pwd']) && $core->auth->checkPassword($ core->auth->crypt($_POST['cur_pwd']));163 $pwd_check = !empty($_POST['cur_pwd']) && $core->auth->checkPassword($_POST['cur_pwd']); 164 164 165 165 if ($core->auth->allowPassChange() && !$pwd_check && $user_email != $_POST['user_email']) { -
admin/user.php
r3421 r3627 72 72 try 73 73 { 74 if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($ core->auth->crypt($_POST['your_pwd']))) {74 if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($_POST['your_pwd'])) { 75 75 throw new Exception(__('Password verification failed')); 76 76 } -
admin/users_actions.php
r3183 r3627 97 97 try 98 98 { 99 if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($ core->auth->crypt($_POST['your_pwd']))) {99 if (empty($_POST['your_pwd']) || !$core->auth->checkPassword($_POST['your_pwd'])) { 100 100 throw new Exception(__('Password verification failed')); 101 101 } -
inc/admin/actions/class.dcactionblogs.php
r3403 r3627 155 155 } 156 156 157 if (!$core->auth->checkPassword($ core->auth->crypt($_POST['pwd']))) {157 if (!$core->auth->checkPassword($_POST['pwd'])) { 158 158 throw new Exception(__('Password verification failed')); 159 159 } -
inc/admin/lib.moduleslist.php
r3472 r3627 1253 1253 || !empty($_POST['fetch_pkg']) && !empty($_POST['pkg_url'])) 1254 1254 { 1255 if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($ this->core->auth->crypt($_POST['your_pwd']))) {1255 if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($_POST['your_pwd'])) { 1256 1256 throw new Exception(__('Password verification failed')); 1257 1257 } … … 2033 2033 || !empty($_POST['fetch_pkg']) && !empty($_POST['pkg_url'])) 2034 2034 { 2035 if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($ this->core->auth->crypt($_POST['your_pwd']))) {2035 if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($_POST['your_pwd'])) { 2036 2036 throw new Exception(__('Password verification failed')); 2037 2037 } -
inc/core/class.dc.auth.php
r3535 r3627 121 121 if ($pwd != '') 122 122 { 123 if ($this->crypt($pwd) != $rs->user_pwd) { 124 sleep(rand(2,5)); 125 return false; 123 $rehash = false; 124 if (password_verify($pwd,$rs->user_pwd)) { 125 // User password ok 126 if (password_needs_rehash($rs->user_pwd,PASSWORD_DEFAULT)) { 127 $rs->user_pwd = $this->crypt($pwd); 128 $rehash = true; 129 } 130 } else { 131 // Check if pwd still stored in old fashion way 132 $ret = password_get_info($rs->user_pwd); 133 if (is_array($ret) && isset($ret['algo']) && $ret['algo'] == 0) { 134 // hash not done with password_hash() function, check by old fashion way 135 if (crypt::hmac(DC_MASTER_KEY,$pwd,DC_CRYPT_ALGO) == $rs->user_pwd) { 136 // Password Ok, need to store it in new fashion way 137 $rs->user_pwd = $this->crypt($pwd); 138 $rehash = true; 139 } else { 140 // Password KO 141 sleep(rand(2,5)); 142 return false; 143 } 144 } else { 145 // Password KO 146 sleep(rand(2,5)); 147 return false; 148 } 149 } 150 if ($rehash) { 151 // Store new hash in DB 152 $cur = $this->con->openCursor($this->user_table); 153 $cur->user_pwd = (string) $rs->user_pwd; 154 $cur->update("WHERE user_id = '".$rs->user_id."'"); 126 155 } 127 156 } 128 157 elseif ($user_key != '') 129 158 { 130 if (http::browserUID(DC_MASTER_KEY.$rs->user_id.$ rs->user_pwd) != $user_key) {159 if (http::browserUID(DC_MASTER_KEY.$rs->user_id.$this->cryptLegacy($rs->user_id)) != $user_key) { 131 160 return false; 132 161 } … … 172 201 public function crypt($pwd) 173 202 { 203 return password_hash($pwd,PASSWORD_DEFAULT); 204 } 205 206 /** 207 * This method crypt given string (password, session_id, …). 208 * 209 * @param string $pwd string to be crypted 210 * @return string crypted value 211 */ 212 public function cryptLegacy($pwd) 213 { 174 214 return crypt::hmac(DC_MASTER_KEY,$pwd,DC_CRYPT_ALGO); 175 215 } … … 184 224 { 185 225 if (!empty($this->user_info['user_pwd'])) { 186 return $pwd == $this->user_info['user_pwd'];226 return password_verify($pwd,$this->user_info['user_pwd']); 187 227 } 188 228 -
inc/core/class.dc.core.php
r3565 r3627 195 195 public function getNonce() 196 196 { 197 return $this->auth->crypt (session_id());197 return $this->auth->cryptLegacy(session_id()); 198 198 } 199 199 … … 205 205 } 206 206 207 return $secret == $this->auth->crypt (session_id());207 return $secret == $this->auth->cryptLegacy(session_id()); 208 208 } 209 209 -
plugins/antispam/inc/lib.dc.antispam.php
r3231 r3627 134 134 $code = 135 135 pack('a32',$core->auth->userID()). 136 pack('H*',$core->auth->crypt ($core->auth->getInfo('user_pwd')));136 pack('H*',$core->auth->cryptLegacy($core->auth->getInfo('user_pwd'))); 137 137 return bin2hex($code); 138 138 } … … 161 161 } 162 162 163 if ($core->auth->crypt ($rs->user_pwd) != $pwd) {163 if ($core->auth->cryptLegacy($rs->user_pwd) != $pwd) { 164 164 return false; 165 165 } -
plugins/importExport/inc/class.dc.import.flat.php
r3421 r3627 90 90 if ($full_upl !== null && $this->core->auth->isSuperAdmin()) 91 91 { 92 if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($ this->core->auth->crypt($_POST['your_pwd']))) {92 if (empty($_POST['your_pwd']) || !$this->core->auth->checkPassword($_POST['your_pwd'])) { 93 93 throw new Exception(__('Password verification failed')); 94 94 } -
plugins/pages/page.php
r3606 r3627 539 539 $core->url->getURLFor('pagespreview', 540 540 $core->auth->userID().'/'. 541 http::browserUID(DC_MASTER_KEY.$core->auth->userID().$core->auth-> getInfo('user_pwd')).541 http::browserUID(DC_MASTER_KEY.$core->auth->userID().$core->auth->cryptLegacy($core->auth->userID())). 542 542 '/'.$post->post_url); 543 543 echo '<a id="post-preview" href="'.$preview_url.'" class="button" accesskey="p">'.__('Preview').' (p)'.'</a>';
Note: See TracChangeset
for help on using the changeset viewer.