Changeset 18889
- Timestamp:
- Nov 2, 2012, 2:59:07 PM (11 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/admin/include/functions_upgrade.php
r15678 r18889 248 248 $row = pwg_db_fetch_assoc(pwg_query($query)); 249 249 250 if (!isset($conf['pass_convert'])) 251 { 252 $conf['pass_convert'] = create_function('$s', 'return md5($s);'); 253 } 254 255 if ($row['password'] != $conf['pass_convert']($password)) 250 if (!$conf['password_verify']($password, $row['password'])) 256 251 { 257 252 array_push($page['errors'], l10n('Invalid password!')); -
trunk/include/config_default.inc.php
r18850 r18889 507 507 ); 508 508 509 // pass_convert : function to crypt or hash the clear user password to store 510 // it in the database 511 $conf['pass_convert'] = create_function('$s', 'return md5($s);'); 509 // password_hash: function hash the clear user password to store it in the 510 // database. The function takes only one parameter: the clear password. 511 $conf['password_hash'] = 'pwg_password_hash'; 512 513 // password_verify: function that checks the password against its hash. The 514 // function takes 2 mandatory parameter : clear password, hashed password + 515 // an optional parameter user_id. The user_id is used to update the password 516 // with the new hash introduced in Piwigo 2.5. See function 517 // pwg_password_verify in include/functions_user.inc.php 518 $conf['password_verify'] = 'pwg_password_verify'; 512 519 513 520 // guest_id : id of the anonymous user 514 521 $conf['guest_id'] = 2; 522 515 523 // default_user_id : id of user used for default value 516 524 $conf['default_user_id'] = $conf['guest_id']; -
trunk/include/functions_user.inc.php
r18629 r18889 183 183 $conf['user_fields']['id'] => $next_id, 184 184 $conf['user_fields']['username'] => pwg_db_real_escape_string($login), 185 $conf['user_fields']['password'] => $conf['pass _convert']($password),185 $conf['user_fields']['password'] => $conf['password_hash']($password), 186 186 $conf['user_fields']['email'] => $mail_address 187 187 ); … … 1096 1096 1097 1097 /** 1098 * hashes a password, with the PasswordHash class from phpass security 1099 * library. We use an "pwg_" prefix because function password_hash is 1100 * planned for PHP 5.5. Code inspired from Wordpress. 1101 * 1102 * @param string $password Plain text user password to hash 1103 * @return string The hash string of the password 1104 */ 1105 function pwg_password_hash($password) 1106 { 1107 global $pwg_hasher; 1108 1109 if (empty($pwg_hasher)) 1110 { 1111 require_once(PHPWG_ROOT_PATH.'include/passwordhash.class.php'); 1112 1113 // We use the portable hash feature from phpass because we can't be sure 1114 // Piwigo runs on PHP 5.3+ (and won't run on an older version in the 1115 // future) 1116 $pwg_hasher = new PasswordHash(13, true); 1117 } 1118 1119 return $pwg_hasher->HashPassword($password); 1120 } 1121 1122 /** 1123 * Verifies a password, with the PasswordHash class from phpass security 1124 * library. We use an "pwg_" prefix because function password_verify is 1125 * planned for PHP 5.5. Code inspired from Wordpress. 1126 * 1127 * @param string $password Plain text user password to hash 1128 * @param string $hash may be md5 or phpass hashed password 1129 * @param integer $account_id only useful to update password hash from md5 to phpass 1130 * @return string The hash string of the password 1131 */ 1132 function pwg_password_verify($password, $hash, $user_id=null) 1133 { 1134 global $conf, $pwg_hasher; 1135 1136 // If the hash is still md5... 1137 if (strlen($hash) <= 32) 1138 { 1139 $check = ($hash == md5($password)); 1140 1141 if ($check and isset($user_id) and !$conf['external_authentification']) 1142 { 1143 // Rehash using new hash. 1144 $hash = pwg_password_hash($password); 1145 1146 single_update( 1147 USERS_TABLE, 1148 array('password' => $hash), 1149 array('id' => $user_id) 1150 ); 1151 } 1152 } 1153 1154 // If the stored hash is longer than an MD5, presume the 1155 // new style phpass portable hash. 1156 if (empty($pwg_hasher)) 1157 { 1158 require_once(PHPWG_ROOT_PATH.'include/passwordhash.class.php'); 1159 1160 // We use the portable hash feature 1161 $pwg_hasher = new PasswordHash(13, true); 1162 } 1163 1164 return $pwg_hasher->CheckPassword($password, $hash); 1165 } 1166 1167 /** 1098 1168 * Tries to login a user given username and password (must be MySql escaped) 1099 1169 * return true on success … … 1113 1183 ;'; 1114 1184 $row = pwg_db_fetch_assoc(pwg_query($query)); 1115 if ($ row['password'] == $conf['pass_convert']($password))1185 if ($conf['password_verify']($password, $row['password'], $row['id'])) 1116 1186 { 1117 1187 log_user($row['id'], $remember_me); -
trunk/install/piwigo_structure-mysql.sql
r18164 r18889 442 442 `id` smallint(5) NOT NULL auto_increment, 443 443 `username` varchar(100) binary NOT NULL default '', 444 `password` varchar( 32) default NULL,444 `password` varchar(255) default NULL, 445 445 `mail_address` varchar(255) default NULL, 446 446 PRIMARY KEY (`id`), -
trunk/password.php
r18700 r18889 222 222 single_update( 223 223 USERS_TABLE, 224 array($conf['user_fields']['password'] => $conf['pass _convert']($_POST['use_new_pwd'])),224 array($conf['user_fields']['password'] => $conf['password_hash']($_POST['use_new_pwd'])), 225 225 array($conf['user_fields']['id'] => $user_id) 226 226 ); -
trunk/profile.php
r15578 r18889 178 178 list($current_password) = pwg_db_fetch_row(pwg_query($query)); 179 179 180 if ( $conf['pass_convert']($_POST['password']) != $current_password)180 if (!$conf['password_verify']($_POST['password'], $current_password)) 181 181 { 182 182 $errors[] = l10n('Current password is wrong'); … … 203 203 { 204 204 array_push($fields, $conf['user_fields']['password']); 205 // password is encrpyted with function $conf['pass_convert']206 $data{$conf['user_fields']['password']} = $conf['pass _convert']($_POST['use_new_pwd']);205 // password is hashed with function $conf['password_hash'] 206 $data{$conf['user_fields']['password']} = $conf['password_hash']($_POST['use_new_pwd']); 207 207 } 208 208
Note: See TracChangeset
for help on using the changeset viewer.