use login as salt when generating passwords
This commit is contained in:
Andrew Dolgov
parent
e668413073
commit
1a9f4d3c9d
|
|
@ -1423,16 +1423,18 @@
|
||||||
|
|
||||||
if (!SINGLE_USER_MODE) {
|
if (!SINGLE_USER_MODE) {
|
||||||
|
|
||||||
$pwd_hash = 'SHA1:' . sha1($password);
|
$pwd_hash1 = encrypt_password($password);
|
||||||
|
$pwd_hash2 = encrypt_password($password, $login);
|
||||||
|
|
||||||
if ($force_auth && defined('_DEBUG_USER_SWITCH')) {
|
if ($force_auth && defined('_DEBUG_USER_SWITCH')) {
|
||||||
$query = "SELECT id,login,access_level
|
$query = "SELECT id,login,access_level
|
||||||
FROM ttrss_users WHERE
|
FROM ttrss_users WHERE
|
||||||
login = '$login'";
|
login = '$login'";
|
||||||
} else {
|
} else {
|
||||||
$query = "SELECT id,login,access_level
|
$query = "SELECT id,login,access_level,pwd_hash
|
||||||
FROM ttrss_users WHERE
|
FROM ttrss_users WHERE
|
||||||
login = '$login' AND pwd_hash = '$pwd_hash'";
|
login = '$login' AND (pwd_hash = '$pwd_hash1' OR
|
||||||
|
pwd_hash = '$pwd_hash2')";
|
||||||
}
|
}
|
||||||
|
|
||||||
$result = db_query($link, $query);
|
$result = db_query($link, $query);
|
||||||
|
|
@ -1449,7 +1451,7 @@
|
||||||
|
|
||||||
$_SESSION["theme"] = $user_theme;
|
$_SESSION["theme"] = $user_theme;
|
||||||
$_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
|
$_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
|
||||||
$_SESSION["pwd_hash"] = $pwd_hash;
|
$_SESSION["pwd_hash"] = db_fetch_result($result, 0, "pwd_hash");
|
||||||
|
|
||||||
initialize_user_prefs($link, $_SESSION["uid"]);
|
initialize_user_prefs($link, $_SESSION["uid"]);
|
||||||
|
|
||||||
|
|
@ -4766,4 +4768,12 @@
|
||||||
return $url_path;
|
return $url_path;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function encrypt_password($pass, $login = '') {
|
||||||
|
if ($login) {
|
||||||
|
return "SHA1X:" . sha1("$login:$pass");
|
||||||
|
} else {
|
||||||
|
return "SHA1:" . sha1($pass);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
?>
|
?>
|
||||||
|
|
|
||||||
|
|
@ -31,8 +31,12 @@
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
$old_pw_hash = 'SHA1:' . sha1($_POST["OLD_PASSWORD"]);
|
$old_pw_hash1 = encrypt_password($_POST["OLD_PASSWORD"]);
|
||||||
$new_pw_hash = 'SHA1:' . sha1($_POST["NEW_PASSWORD"]);
|
$old_pw_hash2 = encrypt_password($_POST["OLD_PASSWORD"],
|
||||||
|
$_SESSION["name"]);
|
||||||
|
|
||||||
|
$new_pw_hash = encrypt_password($_POST["NEW_PASSWORD"],
|
||||||
|
$_SESSION["name"]);
|
||||||
|
|
||||||
$active_uid = $_SESSION["uid"];
|
$active_uid = $_SESSION["uid"];
|
||||||
|
|
||||||
|
|
@ -41,8 +45,8 @@
|
||||||
$login = db_escape_string($_SERVER['PHP_AUTH_USER']);
|
$login = db_escape_string($_SERVER['PHP_AUTH_USER']);
|
||||||
|
|
||||||
$result = db_query($link, "SELECT id FROM ttrss_users WHERE
|
$result = db_query($link, "SELECT id FROM ttrss_users WHERE
|
||||||
id = '$active_uid' AND (pwd_hash = '$old_pw' OR
|
id = '$active_uid' AND (pwd_hash = '$old_pw_hash1' OR
|
||||||
pwd_hash = '$old_pw_hash')");
|
pwd_hash = '$old_pw_hash2')");
|
||||||
|
|
||||||
if (db_num_rows($result) == 1) {
|
if (db_num_rows($result) == 1) {
|
||||||
db_query($link, "UPDATE ttrss_users SET pwd_hash = '$new_pw_hash'
|
db_query($link, "UPDATE ttrss_users SET pwd_hash = '$new_pw_hash'
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue