improve password storage (use sha256 and long random salt)
bump schema
This commit is contained in:
parent
8689b8070b
commit
e90053fe84
|
@ -701,20 +701,59 @@
|
|||
|
||||
// First login ?
|
||||
if (db_num_rows($result) == 0) {
|
||||
$pwd_hash = encrypt_password(make_password(), $login);
|
||||
$salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
|
||||
$pwd_hash = encrypt_password($password, $salt, true);
|
||||
|
||||
$query2 = "INSERT INTO ttrss_users
|
||||
(login,access_level,last_login,created,pwd_hash)
|
||||
VALUES ('$login', 0, null, NOW(), '$pwd_hash')";
|
||||
(login,access_level,last_login,created,pwd_hash,salt)
|
||||
VALUES ('$login', 0, null, NOW(), '$pwd_hash','$salt')";
|
||||
db_query($link, $query2);
|
||||
}
|
||||
}
|
||||
|
||||
} else {
|
||||
$query = "SELECT id,login,access_level,pwd_hash
|
||||
FROM ttrss_users WHERE
|
||||
login = '$login' AND (pwd_hash = '$pwd_hash1' OR
|
||||
$result = db_query($link, "SELECT salt FROM ttrss_users WHERE
|
||||
login = '$login'");
|
||||
|
||||
$salt = db_fetch_result($result, 0, "salt");
|
||||
|
||||
if ($salt == "") {
|
||||
|
||||
$query = "SELECT id,login,access_level,pwd_hash
|
||||
FROM ttrss_users WHERE
|
||||
login = '$login' AND (pwd_hash = '$pwd_hash1' OR
|
||||
pwd_hash = '$pwd_hash2')";
|
||||
|
||||
// verify and upgrade password to new salt base
|
||||
|
||||
$result = db_query($link, $query);
|
||||
|
||||
if (db_num_rows($result) == 1) {
|
||||
// upgrade password to MODE2
|
||||
|
||||
$salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
|
||||
$pwd_hash = encrypt_password($password, $salt, true);
|
||||
|
||||
db_query($link, "UPDATE ttrss_users SET
|
||||
pwd_hash = '$pwd_hash', salt = '$salt' WHERE login = '$login'");
|
||||
|
||||
$query = "SELECT id,login,access_level,pwd_hash
|
||||
FROM ttrss_users WHERE
|
||||
login = '$login' AND pwd_hash = '$pwd_hash'";
|
||||
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
|
||||
} else {
|
||||
|
||||
$pwd_hash = encrypt_password($password, $salt, true);
|
||||
|
||||
$query = "SELECT id,login,access_level,pwd_hash
|
||||
FROM ttrss_users WHERE
|
||||
login = '$login' AND pwd_hash = '$pwd_hash'";
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
$result = db_query($link, $query);
|
||||
|
@ -774,20 +813,7 @@
|
|||
|
||||
function make_password($length = 8) {
|
||||
|
||||
$password = "";
|
||||
$possible = "0123456789abcdfghjkmnpqrstvwxyzABCDFGHJKMNPQRSTVWXYZ";
|
||||
|
||||
$i = 0;
|
||||
|
||||
while ($i < $length) {
|
||||
$char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
|
||||
|
||||
if (!strstr($password, $char)) {
|
||||
$password .= $char;
|
||||
$i++;
|
||||
}
|
||||
}
|
||||
return $password;
|
||||
return substr(bin2hex(openssl_random_pseudo_bytes($length / 2)), 0, $length);
|
||||
}
|
||||
|
||||
// this is called after user is created to initialize default feeds, labels
|
||||
|
@ -3448,22 +3474,16 @@
|
|||
return $url_path;
|
||||
} // function add_feed_url
|
||||
|
||||
/**
|
||||
* Encrypt a password in SHA1.
|
||||
*
|
||||
* @param string $pass The password to encrypt.
|
||||
* @param string $login A optionnal login.
|
||||
* @return string The encrypted password.
|
||||
*/
|
||||
function encrypt_password($pass, $login = '') {
|
||||
if ($login) {
|
||||
return "SHA1X:" . sha1("$login:$pass");
|
||||
function encrypt_password($pass, $salt = '', $mode2 = false) {
|
||||
if ($salt && $mode2) {
|
||||
return "MODE2:" . hash('sha256', $salt . $pass);
|
||||
} else if ($salt) {
|
||||
return "SHA1X:" . sha1("$salt:$pass");
|
||||
} else {
|
||||
return "SHA1:" . sha1($pass);
|
||||
}
|
||||
} // function encrypt_password
|
||||
|
||||
|
||||
function sanitize_article_content($text) {
|
||||
# we don't support CDATA sections in articles, they break our own escaping
|
||||
$text = preg_replace("/\[\[CDATA/", "", $text);
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
} else {
|
||||
|
||||
define('EXPECTED_CONFIG_VERSION', 25);
|
||||
define('SCHEMA_VERSION', 87);
|
||||
define('SCHEMA_VERSION', 88);
|
||||
|
||||
require_once "config.php";
|
||||
require_once "sanity_config.php";
|
||||
|
|
|
@ -44,6 +44,7 @@ create table ttrss_users (id integer primary key not null auto_increment,
|
|||
full_name varchar(250) not null default '',
|
||||
email_digest bool not null default false,
|
||||
last_digest_sent datetime default null,
|
||||
salt varchar(250) not null default '',
|
||||
created datetime default null,
|
||||
twitter_oauth longtext default null,
|
||||
index (theme_id)) ENGINE=InnoDB DEFAULT CHARSET=UTF8;
|
||||
|
@ -259,7 +260,7 @@ create table ttrss_tags (id integer primary key auto_increment,
|
|||
|
||||
create table ttrss_version (schema_version int not null) ENGINE=InnoDB DEFAULT CHARSET=UTF8;
|
||||
|
||||
insert into ttrss_version values (87);
|
||||
insert into ttrss_version values (88);
|
||||
|
||||
create table ttrss_enclosures (id integer primary key auto_increment,
|
||||
content_url text not null,
|
||||
|
|
|
@ -41,6 +41,7 @@ create table ttrss_users (id serial not null primary key,
|
|||
full_name varchar(250) not null default '',
|
||||
email_digest boolean not null default false,
|
||||
last_digest_sent timestamp default null,
|
||||
salt varchar(250) not null default '',
|
||||
twitter_oauth text default null,
|
||||
created timestamp default null);
|
||||
|
||||
|
@ -228,7 +229,7 @@ create index ttrss_tags_post_int_id_idx on ttrss_tags(post_int_id);
|
|||
|
||||
create table ttrss_version (schema_version int not null);
|
||||
|
||||
insert into ttrss_version values (87);
|
||||
insert into ttrss_version values (88);
|
||||
|
||||
create table ttrss_enclosures (id serial not null primary key,
|
||||
content_url text not null,
|
||||
|
|
|
@ -0,0 +1,10 @@
|
|||
begin;
|
||||
|
||||
alter table ttrss_users add column salt varchar(250);
|
||||
update ttrss_users set salt = '';
|
||||
alter table ttrss_users change salt salt varchar(250) not null;
|
||||
alter table ttrss_users alter column salt set default '';
|
||||
|
||||
update ttrss_version set schema_version = 88;
|
||||
|
||||
commit;
|
|
@ -0,0 +1,10 @@
|
|||
begin;
|
||||
|
||||
alter table ttrss_users add column salt varchar(250);
|
||||
update ttrss_users set salt = '';
|
||||
alter table ttrss_users alter column salt set not null;
|
||||
alter table ttrss_users alter column salt set default '';
|
||||
|
||||
update ttrss_version set schema_version = 88;
|
||||
|
||||
commit;
|
Loading…
Reference in New Issue