Cavemanon/cavepaintings
7
Fork 2
Code Issues 3 Pull Requests Projects Releases Wiki Activity

migrate to bcrypt for password storage

Browse Source
This commit is contained in:
Shish
2014-05-24 00:28:57 +01:00
parent 36713803e3
commit eb51a9b639
6 changed files with 321 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
ext/user/main.php
View File

@ -392,18 +392,17 @@ class UserPage extends Extension {
* @param Page $page
*/
private function login(Page $page) {
global $user, $config;
global $config, $user;
$name = $_POST['user'];
$pass = $_POST['pass'];
$hash = md5(strtolower($name) . $pass);
if(empty($name) || empty($pass)) {
$this->theme->display_error(400, "Error", "Username or password left blank");
return;
}
$duser = User::by_name_and_hash($name, $hash);
$duser = User::by_name_and_pass($name, $pass);
if(!is_null($duser)) {
$user = $duser;
$this->set_login_cookie($duser->name, $pass);
@ -421,7 +420,7 @@ class UserPage extends Extension {
}
}
else {
log_warning("user", "Failed to log in as ".html_escape($name)." [$hash]");
log_warning("user", "Failed to log in as ".html_escape($name));
$this->theme->display_error(401, "Error", "No user with those details was found");
}
}
@ -455,7 +454,6 @@ class UserPage extends Extension {
{
global $database, $user;
$hash = md5(strtolower($event->username) . $event->password);
$email = (!empty($event->email)) ? $event->email : null;
// if there are currently no admins, the new user should be one
@ -464,9 +462,10 @@ class UserPage extends Extension {
$database->Execute(
"INSERT INTO users (name, pass, joindate, email, class) VALUES (:username, :hash, now(), :email, :class)",
array("username"=>$event->username, "hash"=>$hash, "email"=>$email, "class"=>$class));
array("username"=>$event->username, "hash"=>'', "email"=>$email, "class"=>$class));
$uid = $database->get_last_insert_id('users_id_seq');
$user = User::by_name($event->username);
$user->set_password($event->password);
log_info("user", "Created User #$uid ({$event->username})");
}
@ -478,7 +477,7 @@ class UserPage extends Extension {
global $config;
$addr = get_session_ip($config);
$hash = md5(strtolower($name) . $pass);
$hash = User::by_name($name)->passhash;
set_prefixed_cookie("user", $name,
time()+60*60*24*365, '/');