From acd72c218d20c3ac2c7b562b0f466c657d88f912 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Fri, 24 Apr 2020 08:05:26 +0200 Subject: [PATCH] user password_hash instead of md5 --- inc/inc.ClassDbAuthentication.php | 2 +- op/op.ChangePassword.php | 3 ++- op/op.EditUserData.php | 14 +++++++------- op/op.UsrMgr.php | 4 ++-- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/inc/inc.ClassDbAuthentication.php b/inc/inc.ClassDbAuthentication.php index 18838ee3e..81948137d 100644 --- a/inc/inc.ClassDbAuthentication.php +++ b/inc/inc.ClassDbAuthentication.php @@ -58,7 +58,7 @@ class SeedDMS_DbAuthentication extends SeedDMS_Authentication { // Check if password matches (if not a guest user) // Assume that the password has been sent via HTTP POST. It would be careless // (and dangerous) for passwords to be sent via GET. - if (md5($password) != $user->getPwd()) { + if (md5($password) != $user->getPwd() && !password_verify($password, $user->getPwd())) { /* if counting of login failures is turned on, then increment its value */ if($settings->_loginFailure) { $failures = $user->addLoginFailure(); diff --git a/op/op.ChangePassword.php b/op/op.ChangePassword.php index c15da5a68..37e89a218 100644 --- a/op/op.ChangePassword.php +++ b/op/op.ChangePassword.php @@ -54,7 +54,8 @@ if (empty($newpassword) || empty($newpasswordrepeat) || $newpassword != $newpass $user = $dms->checkPasswordRequest($hash); if($user) { - $user->setPwd(md5($newpassword)); +// $user->setPwd(md5($newpassword)); + $user->setPwd(password_hash($newpassword, PASSWORD_DEFAULT)); $dms->deletePasswordRequest($hash); header('Location: ../out/out.Login.php'); exit; diff --git a/op/op.EditUserData.php b/op/op.EditUserData.php index 749bbda20..9ad1e3e34 100644 --- a/op/op.EditUserData.php +++ b/op/op.EditUserData.php @@ -46,7 +46,7 @@ if(isset($_POST["theme"])) $mytheme = $_POST["theme"]; $current_pwd = $_POST["currentpwd"]; -if($user->getPwd() != md5($current_pwd)) { +if($user->getPwd() != md5($current_pwd) && !password_verify($current_pwd, $user->getPwd())) { UI::exitError(getMLText("edit_user_details"),getMLText("password_wrong")); } @@ -61,14 +61,14 @@ if (isset($_POST["pwd"]) && ($_POST["pwd"] != "")) { if ($current_pwd == $_POST["pwd"]) // history doesn't have the initial pw stored yet UI::exitError(getMLText("set_password"),getMLText("password_already_used")); $phm = new SeedDMS_PasswordHistoryManager($db); - $oldpwd = $phm->search($user, md5($_POST["pwd"])); + $oldpwd = $phm->search($user, password_hash($_POST["pwd"], PASSWORD_DEFAULT)); if($oldpwd) { UI::exitError(getMLText("set_password"),getMLText("password_already_used")); } else { - $phm->add($user, md5($_POST["pwd"])); + $phm->add($user, password_hash($_POST["pwd"], PASSWORD_DEFAULT)); } } - $user->setPwd(md5($_POST["pwd"])); + $user->setPwd(password_hash($_POST["pwd"], PASSWORD_DEFAULT)); $user->setPwdExpiration(date('Y-m-d H:i:s', time()+$settings->_passwordExpiration*86400)); } else { UI::exitError(getMLText("set_password"),getMLText("password_strength_insuffient")); @@ -76,14 +76,14 @@ if (isset($_POST["pwd"]) && ($_POST["pwd"] != "")) { } else { if($settings->_passwordHistory > 0) { $phm = new SeedDMS_PasswordHistoryManager($db); - $oldpwd = $phm->search($user, md5($_POST["pwd"])); + $oldpwd = $phm->search($user, password_hash($_POST["pwd"], PASSWORD_DEFAULT)); if($oldpwd) { UI::exitError(getMLText("set_password"),getMLText("password_already_used")); } else { - $phm->add($user, md5($_POST["pwd"])); + $phm->add($user, password_hash($_POST["pwd"], PASSWORD_DEFAULT)); } } - $user->setPwd(md5($_POST["pwd"])); + $user->setPwd(password_hash($_POST["pwd"], PASSWORD_DEFAULT)); $user->setPwdExpiration(date('Y-m-d H:i:s', time()+$settings->_passwordExpiration*86400)); } } diff --git a/op/op.UsrMgr.php b/op/op.UsrMgr.php index f0aef6184..5ffa12770 100644 --- a/op/op.UsrMgr.php +++ b/op/op.UsrMgr.php @@ -68,7 +68,7 @@ if ($action == "adduser") { UI::exitError(getMLText("admin_tools"),getMLText("user_exists")); } - $newUser = $dms->addUser($login, md5($pwd), $name, $email, $settings->_language, $settings->_theme, $comment, $role, $isHidden, $isDisabled, $pwdexpiration, $quota, $homefolder); + $newUser = $dms->addUser($login, password_hash($pwd, PASSWORD_DEFAULT), $name, $email, $settings->_language, $settings->_theme, $comment, $role, $isHidden, $isDisabled, $pwdexpiration, $quota, $homefolder); if ($newUser) { /* Set user image if uploaded */ @@ -388,7 +388,7 @@ else if ($action == "edituser") { $editedUser->setPwd(''); } else { if (isset($pwd) && ($pwd != "")) { - $editedUser->setPwd(md5($pwd)); + $editedUser->setPwd(password_hash($pwd, PASSWORD_DEFAULT)); } } if ($editedUser->getFullName() != $name)