<?php
-class Pref_Users extends Handler {
-
- function before() {
- if (parent::before()) {
+class Pref_Users extends Protected_Handler {
+ function before($method) {
+ if (parent::before($method)) {
if ($_SESSION["access_level"] < 10) {
print __("Your access level is insufficient to open this tab.");
return false;
return false;
}
+ function csrf_ignore($method) {
+ $csrf_ignored = array("index");
+
+ return array_search($method, $csrf_ignored) !== false;
+ }
+
function userdetails() {
header("Content-Type: text/xml");
$password = db_escape_string(trim($_REQUEST["password"]));
if ($password) {
- $pwd_hash = encrypt_password($password, $login);
- $pass_query_part = "pwd_hash = '$pwd_hash', ";
+ $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
+ $pwd_hash = encrypt_password($password, $salt, true);
+ $pass_query_part = "pwd_hash = '$pwd_hash', salt = '$salt',";
} else {
$pass_query_part = "";
}
$login = db_escape_string(trim($_REQUEST["login"]));
$tmp_user_pwd = make_password(8);
- $pwd_hash = encrypt_password($tmp_user_pwd, $login);
+ $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
+ $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE
login = '$login'");
if (db_num_rows($result) == 0) {
db_query($this->link, "INSERT INTO ttrss_users
- (login,pwd_hash,access_level,last_login,created)
- VALUES ('$login', '$pwd_hash', 0, null, NOW())");
+ (login,pwd_hash,access_level,last_login,created, salt)
+ VALUES ('$login', '$pwd_hash', 0, null, NOW(), '$salt')");
$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE
$login = db_fetch_result($result, 0, "login");
$email = db_fetch_result($result, 0, "email");
+ $salt = db_fetch_result($result, 0, "salt");
+
+ $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
$tmp_user_pwd = make_password(8);
- $pwd_hash = encrypt_password($tmp_user_pwd, $login);
- db_query($this->link, "UPDATE ttrss_users SET pwd_hash = '$pwd_hash'
+ $pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true);
+
+ db_query($this->link, "UPDATE ttrss_users SET pwd_hash = '$pwd_hash', salt = '$new_salt'
WHERE id = '$uid'");
print T_sprintf("Changed password of user <b>%s</b>
$mail->CharSet = "UTF-8";
- $mail->From = DIGEST_FROM_ADDRESS;
- $mail->FromName = DIGEST_FROM_NAME;
+ $mail->From = SMTP_FROM_ADDRESS;
+ $mail->FromName = SMTP_FROM_NAME;
$mail->AddAddress($email, $login);
- if (DIGEST_SMTP_HOST) {
- $mail->Host = DIGEST_SMTP_HOST;
+ if (SMTP_HOST) {
+ $mail->Host = SMTP_HOST;
$mail->Mailer = "smtp";
- $mail->SMTPAuth = DIGEST_SMTP_LOGIN != '';
- $mail->Username = DIGEST_SMTP_LOGIN;
- $mail->Password = DIGEST_SMTP_PASSWORD;
+ $mail->SMTPAuth = SMTP_LOGIN != '';
+ $mail->Username = SMTP_LOGIN;
+ $mail->Password = SMTP_PASSWORD;
}
$mail->IsHTML(false);