From: Andrew Dolgov Date: Wed, 12 Sep 2007 03:56:22 +0000 (+0100) Subject: use login as salt when generating passwords X-Git-Tag: 1.2.15~7 X-Git-Url: https://git.wh0rd.org/?a=commitdiff_plain;h=1a9f4d3c9d7b8147230c0a816a849afdedb54901;p=tt-rss.git use login as salt when generating passwords --- diff --git a/functions.php b/functions.php index a237aff5..362f965a 100644 --- a/functions.php +++ b/functions.php @@ -1423,16 +1423,18 @@ if (!SINGLE_USER_MODE) { - $pwd_hash = 'SHA1:' . sha1($password); + $pwd_hash1 = encrypt_password($password); + $pwd_hash2 = encrypt_password($password, $login); if ($force_auth && defined('_DEBUG_USER_SWITCH')) { $query = "SELECT id,login,access_level FROM ttrss_users WHERE login = '$login'"; } else { - $query = "SELECT id,login,access_level + $query = "SELECT id,login,access_level,pwd_hash FROM ttrss_users WHERE - login = '$login' AND pwd_hash = '$pwd_hash'"; + login = '$login' AND (pwd_hash = '$pwd_hash1' OR + pwd_hash = '$pwd_hash2')"; } $result = db_query($link, $query); @@ -1449,7 +1451,7 @@ $_SESSION["theme"] = $user_theme; $_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"]; - $_SESSION["pwd_hash"] = $pwd_hash; + $_SESSION["pwd_hash"] = db_fetch_result($result, 0, "pwd_hash"); initialize_user_prefs($link, $_SESSION["uid"]); @@ -4766,4 +4768,12 @@ return $url_path; } + function encrypt_password($pass, $login = '') { + if ($login) { + return "SHA1X:" . sha1("$login:$pass"); + } else { + return "SHA1:" . sha1($pass); + } + } + ?> diff --git a/modules/pref-prefs.php b/modules/pref-prefs.php index a3132ce4..6c193430 100644 --- a/modules/pref-prefs.php +++ b/modules/pref-prefs.php @@ -31,8 +31,12 @@ return; } - $old_pw_hash = 'SHA1:' . sha1($_POST["OLD_PASSWORD"]); - $new_pw_hash = 'SHA1:' . sha1($_POST["NEW_PASSWORD"]); + $old_pw_hash1 = encrypt_password($_POST["OLD_PASSWORD"]); + $old_pw_hash2 = encrypt_password($_POST["OLD_PASSWORD"], + $_SESSION["name"]); + + $new_pw_hash = encrypt_password($_POST["NEW_PASSWORD"], + $_SESSION["name"]); $active_uid = $_SESSION["uid"]; @@ -41,8 +45,8 @@ $login = db_escape_string($_SERVER['PHP_AUTH_USER']); $result = db_query($link, "SELECT id FROM ttrss_users WHERE - id = '$active_uid' AND (pwd_hash = '$old_pw' OR - pwd_hash = '$old_pw_hash')"); + id = '$active_uid' AND (pwd_hash = '$old_pw_hash1' OR + pwd_hash = '$old_pw_hash2')"); if (db_num_rows($result) == 1) { db_query($link, "UPDATE ttrss_users SET pwd_hash = '$new_pw_hash'