From 098df83ba6a5fb7ea03cb9dfc9f6eca82397fe27 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Mon, 23 Jan 2012 12:20:09 +0400
Subject: [PATCH] fix various password-change related functions

---
 classes/pref_prefs.php | 47 +++++++++++++++++++++++++-----------------
 classes/pref_users.php | 20 +++++++++++-------
 register.php           |  9 ++++----
 3 files changed, 46 insertions(+), 30 deletions(-)

diff --git a/classes/pref_prefs.php b/classes/pref_prefs.php
index 03e39caa..175566d8 100644
--- a/classes/pref_prefs.php
+++ b/classes/pref_prefs.php
@@ -28,34 +28,43 @@ class Pref_Prefs extends Protected_Handler {
 			return;
 		}
 
-		$old_pw_hash1 = encrypt_password($old_pw);
-		$old_pw_hash2 = encrypt_password($old_pw, $_SESSION["name"]);
-		$new_pw_hash = encrypt_password($new_pw, $_SESSION["name"]);
+		$result = db_query($this->link, "SELECT salt FROM ttrss_users WHERE
+			id = " . $_SESSION['uid']);
 
-		$active_uid = $_SESSION["uid"];
+		$salt = db_fetch_result($result, 0, "salt");
 
-		if ($old_pw && $new_pw) {
+		if (!$salt) {
+			$old_pw_hash1 = encrypt_password($old_pw);
+			$old_pw_hash2 = encrypt_password($old_pw, $_SESSION["name"]);
 
-			$login = db_escape_string($_SERVER['PHP_AUTH_USER']);
+			$query = "SELECT id FROM ttrss_users WHERE
+				id = ".$_SESSION['uid']." AND (pwd_hash = '$old_pw_hash1' OR
+				pwd_hash = '$old_pw_hash2')";
 
-			$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE
-				id = '$active_uid' AND (pwd_hash = '$old_pw_hash1' OR
-					pwd_hash = '$old_pw_hash2')");
+		} else {
+			$old_pw_hash = encrypt_password($old_pw, $salt, true);
 
-			if (db_num_rows($result) == 1) {
-				db_query($this->link, "UPDATE ttrss_users SET pwd_hash = '$new_pw_hash'
-					WHERE id = '$active_uid'");
+			$query = "SELECT id FROM ttrss_users WHERE
+				id = ".$_SESSION['uid']." AND pwd_hash = '$old_pw_hash'";
+		}
 
-				$_SESSION["pwd_hash"] = $new_pw_hash;
+		$result = db_query($this->link, $query);
 
-				print __("Password has been changed.");
-			} else {
-				print "ERROR: ".__('Old password is incorrect.');
-			}
-		}
+		if (db_num_rows($result) == 1) {
 
-		return;
+			$new_salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
+			$new_pw_hash = encrypt_password($new_pw, $new_salt, true);
+
+			db_query($this->link, "UPDATE ttrss_users SET
+				pwd_hash = '$new_pw_hash', salt = '$new_salt'
+					WHERE id = ".$_SESSION['uid']);
+
+			$_SESSION["pwd_hash"] = $new_pw_hash;
 
+			print __("Password has been changed.");
+		} else {
+			print "ERROR: ".__('Old password is incorrect.');
+		}
 	}
 
 	function saveconfig() {
diff --git a/classes/pref_users.php b/classes/pref_users.php
index fe32ce14..975b41f5 100644
--- a/classes/pref_users.php
+++ b/classes/pref_users.php
@@ -206,8 +206,9 @@ class Pref_Users extends Protected_Handler {
 			$password = db_escape_string(trim($_REQUEST["password"]));
 
 			if ($password) {
-				$pwd_hash = encrypt_password($password, $login);
-				$pass_query_part = "pwd_hash = '$pwd_hash', ";
+				$salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
+				$pwd_hash = encrypt_password($password, $salt, true);
+				$pass_query_part = "pwd_hash = '$pwd_hash', salt = '$salt',";
 			} else {
 				$pass_query_part = "";
 			}
@@ -233,7 +234,8 @@ class Pref_Users extends Protected_Handler {
 
 			$login = db_escape_string(trim($_REQUEST["login"]));
 			$tmp_user_pwd = make_password(8);
-			$pwd_hash = encrypt_password($tmp_user_pwd, $login);
+			$salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
+			$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
 
 			$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE
 				login = '$login'");
@@ -241,8 +243,8 @@ class Pref_Users extends Protected_Handler {
 			if (db_num_rows($result) == 0) {
 
 				db_query($this->link, "INSERT INTO ttrss_users
-					(login,pwd_hash,access_level,last_login,created)
-					VALUES ('$login', '$pwd_hash', 0, null, NOW())");
+					(login,pwd_hash,access_level,last_login,created, salt)
+					VALUES ('$login', '$pwd_hash', 0, null, NOW(), '$salt')");
 
 
 				$result = db_query($this->link, "SELECT id FROM ttrss_users WHERE
@@ -276,10 +278,14 @@ class Pref_Users extends Protected_Handler {
 
 			$login = db_fetch_result($result, 0, "login");
 			$email = db_fetch_result($result, 0, "email");
+			$salt = db_fetch_result($result, 0, "salt");
+
+			$new_salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
 			$tmp_user_pwd = make_password(8);
-			$pwd_hash = encrypt_password($tmp_user_pwd, $login);
 
-			db_query($this->link, "UPDATE ttrss_users SET pwd_hash = '$pwd_hash'
+			$pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true);
+
+			db_query($this->link, "UPDATE ttrss_users SET pwd_hash = '$pwd_hash', salt = '$new_salt'
 				WHERE id = '$uid'");
 
 			print T_sprintf("Changed password of user <b>%s</b>
diff --git a/register.php b/register.php
index 4107a2ea..e75c1c94 100644
--- a/register.php
+++ b/register.php
@@ -4,7 +4,7 @@
 	// 1) templates/register_notice.txt - displayed above the registration form
 	// 2) register_expire_do.php - contains user expiration queries when necessary
 
-	set_include_path(get_include_path() . PATH_SEPARATOR . 
+	set_include_path(get_include_path() . PATH_SEPARATOR .
 		dirname(__FILE__) . "/include");
 
 	require_once 'lib/phpmailer/class.phpmailer.php';
@@ -270,11 +270,12 @@
 
 				$password = make_password();
 
-				$pwd_hash = encrypt_password($password, $login);
+				$salt = substr(bin2hex(openssl_random_pseudo_bytes(125)), 0, 250);
+				$pwd_hash = encrypt_password($password, $salt, true);
 
 				db_query($link, "INSERT INTO ttrss_users
-					(login,pwd_hash,access_level,last_login, email, created)
-					VALUES ('$login', '$pwd_hash', 0, null, '$email', NOW())");
+					(login,pwd_hash,access_level,last_login, email, created, salt)
+					VALUES ('$login', '$pwd_hash', 0, null, '$email', NOW(), '$salt')");
 
 				$result = db_query($link, "SELECT id FROM ttrss_users WHERE
 					login = '$login' AND pwd_hash = '$pwd_hash'");
-- 
2.39.2