improve password storage (use sha256 and long random salt)
bump schema
This commit is contained in:
parent
8689b8070b
commit
e90053fe84
|
@ -701,20 +701,59 @@
|
||||||
|
|
||||||
// First login ?
|
// First login ?
|
||||||
if (db_num_rows($result) == 0) {
|
if (db_num_rows($result) == 0) {
|
||||||
$pwd_hash = encrypt_password(make_password(), $login);
|
$salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
|
||||||
|
$pwd_hash = encrypt_password($password, $salt, true);
|
||||||
|
|
||||||
$query2 = "INSERT INTO ttrss_users
|
$query2 = "INSERT INTO ttrss_users
|
||||||
(login,access_level,last_login,created,pwd_hash)
|
(login,access_level,last_login,created,pwd_hash,salt)
|
||||||
VALUES ('$login', 0, null, NOW(), '$pwd_hash')";
|
VALUES ('$login', 0, null, NOW(), '$pwd_hash','$salt')";
|
||||||
db_query($link, $query2);
|
db_query($link, $query2);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
$query = "SELECT id,login,access_level,pwd_hash
|
$result = db_query($link, "SELECT salt FROM ttrss_users WHERE
|
||||||
FROM ttrss_users WHERE
|
login = '$login'");
|
||||||
login = '$login' AND (pwd_hash = '$pwd_hash1' OR
|
|
||||||
|
$salt = db_fetch_result($result, 0, "salt");
|
||||||
|
|
||||||
|
if ($salt == "") {
|
||||||
|
|
||||||
|
$query = "SELECT id,login,access_level,pwd_hash
|
||||||
|
FROM ttrss_users WHERE
|
||||||
|
login = '$login' AND (pwd_hash = '$pwd_hash1' OR
|
||||||
pwd_hash = '$pwd_hash2')";
|
pwd_hash = '$pwd_hash2')";
|
||||||
|
|
||||||
|
// verify and upgrade password to new salt base
|
||||||
|
|
||||||
|
$result = db_query($link, $query);
|
||||||
|
|
||||||
|
if (db_num_rows($result) == 1) {
|
||||||
|
// upgrade password to MODE2
|
||||||
|
|
||||||
|
$salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
|
||||||
|
$pwd_hash = encrypt_password($password, $salt, true);
|
||||||
|
|
||||||
|
db_query($link, "UPDATE ttrss_users SET
|
||||||
|
pwd_hash = '$pwd_hash', salt = '$salt' WHERE login = '$login'");
|
||||||
|
|
||||||
|
$query = "SELECT id,login,access_level,pwd_hash
|
||||||
|
FROM ttrss_users WHERE
|
||||||
|
login = '$login' AND pwd_hash = '$pwd_hash'";
|
||||||
|
|
||||||
|
} else {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
} else {
|
||||||
|
|
||||||
|
$pwd_hash = encrypt_password($password, $salt, true);
|
||||||
|
|
||||||
|
$query = "SELECT id,login,access_level,pwd_hash
|
||||||
|
FROM ttrss_users WHERE
|
||||||
|
login = '$login' AND pwd_hash = '$pwd_hash'";
|
||||||
|
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$result = db_query($link, $query);
|
$result = db_query($link, $query);
|
||||||
|
@ -774,20 +813,7 @@
|
||||||
|
|
||||||
function make_password($length = 8) {
|
function make_password($length = 8) {
|
||||||
|
|
||||||
$password = "";
|
return substr(bin2hex(openssl_random_pseudo_bytes($length / 2)), 0, $length);
|
||||||
$possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ";
|
|
||||||
|
|
||||||
$i = 0;
|
|
||||||
|
|
||||||
while ($i < $length) {
|
|
||||||
$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
|
|
||||||
|
|
||||||
if (!strstr($password, $char)) {
|
|
||||||
$password .= $char;
|
|
||||||
$i++;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return $password;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// this is called after user is created to initialize default feeds, labels
|
// this is called after user is created to initialize default feeds, labels
|
||||||
|
@ -3448,22 +3474,16 @@
|
||||||
return $url_path;
|
return $url_path;
|
||||||
} // function add_feed_url
|
} // function add_feed_url
|
||||||
|
|
||||||
/**
|
function encrypt_password($pass, $salt = '', $mode2 = false) {
|
||||||
* Encrypt a password in SHA1.
|
if ($salt && $mode2) {
|
||||||
*
|
return "MODE2:" . hash('sha256', $salt . $pass);
|
||||||
* @param string $pass The password to encrypt.
|
} else if ($salt) {
|
||||||
* @param string $login A optionnal login.
|
return "SHA1X:" . sha1("$salt:$pass");
|
||||||
* @return string The encrypted password.
|
|
||||||
*/
|
|
||||||
function encrypt_password($pass, $login = '') {
|
|
||||||
if ($login) {
|
|
||||||
return "SHA1X:" . sha1("$login:$pass");
|
|
||||||
} else {
|
} else {
|
||||||
return "SHA1:" . sha1($pass);
|
return "SHA1:" . sha1($pass);
|
||||||
}
|
}
|
||||||
} // function encrypt_password
|
} // function encrypt_password
|
||||||
|
|
||||||
|
|
||||||
function sanitize_article_content($text) {
|
function sanitize_article_content($text) {
|
||||||
# we don't support CDATA sections in articles, they break our own escaping
|
# we don't support CDATA sections in articles, they break our own escaping
|
||||||
$text = preg_replace("/\[\[CDATA/", "", $text);
|
$text = preg_replace("/\[\[CDATA/", "", $text);
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
define('EXPECTED_CONFIG_VERSION', 25);
|
define('EXPECTED_CONFIG_VERSION', 25);
|
||||||
define('SCHEMA_VERSION', 87);
|
define('SCHEMA_VERSION', 88);
|
||||||
|
|
||||||
require_once "config.php";
|
require_once "config.php";
|
||||||
require_once "sanity_config.php";
|
require_once "sanity_config.php";
|
||||||
|
|
|
@ -44,6 +44,7 @@ create table ttrss_users (id integer primary key not null auto_increment,
|
||||||
full_name varchar(250) not null default '',
|
full_name varchar(250) not null default '',
|
||||||
email_digest bool not null default false,
|
email_digest bool not null default false,
|
||||||
last_digest_sent datetime default null,
|
last_digest_sent datetime default null,
|
||||||
|
salt varchar(250) not null default '',
|
||||||
created datetime default null,
|
created datetime default null,
|
||||||
twitter_oauth longtext default null,
|
twitter_oauth longtext default null,
|
||||||
index (theme_id)) ENGINE=InnoDB DEFAULT CHARSET=UTF8;
|
index (theme_id)) ENGINE=InnoDB DEFAULT CHARSET=UTF8;
|
||||||
|
@ -259,7 +260,7 @@ create table ttrss_tags (id integer primary key auto_increment,
|
||||||
|
|
||||||
create table ttrss_version (schema_version int not null) ENGINE=InnoDB DEFAULT CHARSET=UTF8;
|
create table ttrss_version (schema_version int not null) ENGINE=InnoDB DEFAULT CHARSET=UTF8;
|
||||||
|
|
||||||
insert into ttrss_version values (87);
|
insert into ttrss_version values (88);
|
||||||
|
|
||||||
create table ttrss_enclosures (id integer primary key auto_increment,
|
create table ttrss_enclosures (id integer primary key auto_increment,
|
||||||
content_url text not null,
|
content_url text not null,
|
||||||
|
|
|
@ -41,6 +41,7 @@ create table ttrss_users (id serial not null primary key,
|
||||||
full_name varchar(250) not null default '',
|
full_name varchar(250) not null default '',
|
||||||
email_digest boolean not null default false,
|
email_digest boolean not null default false,
|
||||||
last_digest_sent timestamp default null,
|
last_digest_sent timestamp default null,
|
||||||
|
salt varchar(250) not null default '',
|
||||||
twitter_oauth text default null,
|
twitter_oauth text default null,
|
||||||
created timestamp default null);
|
created timestamp default null);
|
||||||
|
|
||||||
|
@ -228,7 +229,7 @@ create index ttrss_tags_post_int_id_idx on ttrss_tags(post_int_id);
|
||||||
|
|
||||||
create table ttrss_version (schema_version int not null);
|
create table ttrss_version (schema_version int not null);
|
||||||
|
|
||||||
insert into ttrss_version values (87);
|
insert into ttrss_version values (88);
|
||||||
|
|
||||||
create table ttrss_enclosures (id serial not null primary key,
|
create table ttrss_enclosures (id serial not null primary key,
|
||||||
content_url text not null,
|
content_url text not null,
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
begin;
|
||||||
|
|
||||||
|
alter table ttrss_users add column salt varchar(250);
|
||||||
|
update ttrss_users set salt = '';
|
||||||
|
alter table ttrss_users change salt salt varchar(250) not null;
|
||||||
|
alter table ttrss_users alter column salt set default '';
|
||||||
|
|
||||||
|
update ttrss_version set schema_version = 88;
|
||||||
|
|
||||||
|
commit;
|
|
@ -0,0 +1,10 @@
|
||||||
|
begin;
|
||||||
|
|
||||||
|
alter table ttrss_users add column salt varchar(250);
|
||||||
|
update ttrss_users set salt = '';
|
||||||
|
alter table ttrss_users alter column salt set not null;
|
||||||
|
alter table ttrss_users alter column salt set default '';
|
||||||
|
|
||||||
|
update ttrss_version set schema_version = 88;
|
||||||
|
|
||||||
|
commit;
|
Loading…
Reference in New Issue