tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

#10101 Fixed password_hash

This commit is contained in:
Daniel Maya 2023-01-03 17:08:28 +01:00
parent 9d915e63a0
commit 13aa76af1e
2 changed files with 90 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
pandora_console/include/auth/mysql.php
View File

@ -148,67 +148,23 @@ function process_user_login_local($login, $pass, $api=false)
{ {
global $config, $mysql_cache; global $config, $mysql_cache;
// Connect to Database // Connect to Database.
switch ($config['dbtype']) { if (!$api) {
case 'mysql': $sql = sprintf(
if (!$api) { "SELECT `id_user`, `password`
$sql = sprintf( FROM `tusuario`
"SELECT `id_user`, `password` WHERE `id_user` = '%s' AND `not_login` = 0
FROM `tusuario` AND `disabled` = 0",
WHERE `id_user` = '%s' AND `not_login` = 0 $login
AND `disabled` = 0", );
$login } else {
); $sql = sprintf(
} else { "SELECT `id_user`, `password`
$sql = sprintf( FROM `tusuario`
"SELECT `id_user`, `password` WHERE `id_user` = '%s'
FROM `tusuario` AND `disabled` = 0",
WHERE `id_user` = '%s' $login
AND `disabled` = 0", );
$login
);
}
break;
case 'postgresql':
if (!$api) {
$sql = sprintf(
'SELECT "id_user", "password"
FROM "tusuario"
WHERE "id_user" = \'%s\' AND "not_login" = 0
AND "disabled" = 0',
$login
);
} else {
$sql = sprintf(
'SELECT "id_user", "password"
FROM "tusuario"
WHERE "id_user" = \'%s\'
AND "disabled" = 0',
$login
);
}
break;
case 'oracle':
if (!$api) {
$sql = sprintf(
'SELECT id_user, password
FROM tusuario
WHERE id_user = \'%s\' AND not_login = 0
AND disabled = 0',
$login
);
} else {
$sql = sprintf(
'SELECT id_user, password
FROM tusuario
WHERE id_user = \'%s\'
AND disabled = 0',
$login
);
}
break;
} }
$row = db_get_row_sql($sql); $row = db_get_row_sql($sql);
@ -666,8 +622,16 @@ function process_user_contact(string $id_user)
function create_user($id_user, $password, $user_info) function create_user($id_user, $password, $user_info)
{ {
$values = $user_info; $values = $user_info;
$column_type = db_get_column_type('tusuario', 'password');
if (empty($column_type) === false && isset($column_type[0]['COLUMN_TYPE'])) {
$column_type = ($column_type[0]['COLUMN_TYPE'] === 'varchar(45)');
} else {
$column_type = false;
}
$values['id_user'] = $id_user; $values['id_user'] = $id_user;
$values['password'] = password_hash($password, PASSWORD_BCRYPT); $values['password'] = ($column_type === true) ? md5($password) : password_hash($password, PASSWORD_BCRYPT);
$values['last_connect'] = 0; $values['last_connect'] = 0;
$values['registered'] = get_system_time(); $values['registered'] = get_system_time();
@ -775,9 +739,19 @@ function update_user_password(string $user, string $password_new)
return false; return false;
} }
$column_type = db_get_column_type('tusuario', 'password');
if (empty($column_type) === false && isset($column_type[0]['COLUMN_TYPE'])) {
$column_type = ($column_type[0]['COLUMN_TYPE'] === 'varchar(45)');
} else {
$column_type = false;
}
if (isset($config['auth']) === true && $config['auth'] === 'pandora') { if (isset($config['auth']) === true && $config['auth'] === 'pandora') {
$sql = sprintf( $sql = sprintf(
"UPDATE tusuario SET password = '".password_hash($password_new, PASSWORD_BCRYPT)."', last_pass_change = '".date('Y-m-d H:i:s', get_system_time())."' WHERE id_user = '".$user."'" "UPDATE tusuario SET password = '%s', last_pass_change = '%s' WHERE id_user = '%s'",
($column_type === true) ? md5($password_new) : password_hash($password_new, PASSWORD_BCRYPT),
date('Y-m-d H:i:s', get_system_time()),
$user
); );
$connection = mysql_connect_db( $connection = mysql_connect_db(
@ -797,7 +771,7 @@ function update_user_password(string $user, string $password_new)
return db_process_sql_update( return db_process_sql_update(
'tusuario', 'tusuario',
[ [
'password' => password_hash($password_new, PASSWORD_BCRYPT), 'password' => ($column_type === true) ? md5($password_new) : password_hash($password_new, PASSWORD_BCRYPT),
'last_pass_change' => date('Y/m/d H:i:s', get_system_time()), 'last_pass_change' => date('Y/m/d H:i:s', get_system_time()),
], ],
['id_user' => $user] ['id_user' => $user]
@ -1061,7 +1035,14 @@ function create_user_and_permisions_ldap(
$values['id_user'] = $id_user; $values['id_user'] = $id_user;
if ($config['ldap_save_password'] || $config['ad_save_password']) { if ($config['ldap_save_password'] || $config['ad_save_password']) {
$values['password'] = password_hash($password, PASSWORD_BCRYPT); $column_type = db_get_column_type('tusuario', 'password');
if (empty($column_type) === false && isset($column_type[0]['COLUMN_TYPE'])) {
$column_type = ($column_type[0]['COLUMN_TYPE'] === 'varchar(45)');
} else {
$column_type = false;
}
$values['password'] = ($column_type === true) ? md5($password) : password_hash($password, PASSWORD_BCRYPT);
} }
$values['last_connect'] = 0; $values['last_connect'] = 0;
@ -1493,11 +1474,26 @@ function change_local_user_pass_ldap($id_user, $password)
$local_user_pass = db_get_value_filter('password', 'tusuario', ['id_user' => $id_user]); $local_user_pass = db_get_value_filter('password', 'tusuario', ['id_user' => $id_user]);
$return = false; $return = false;
if (password_hash($password, PASSWORD_BCRYPT) !== $local_user_pass) {
$values_update = [];
$values_update['password'] = password_hash($password, PASSWORD_BCRYPT);
$return = db_process_sql_update('tusuario', $values_update, ['id_user' => $id_user]); $column_type = db_get_column_type('tusuario', 'password');
if (empty($column_type) === false && isset($column_type[0]['COLUMN_TYPE'])) {
$column_type = ($column_type[0]['COLUMN_TYPE'] === 'varchar(45)');
} else {
$column_type = false;
}
$values_update = [];
if ($column_type === true) {
if (md5($password) !== $local_user_pass) {
$values_update['password'] = md5($password);
$return = db_process_sql_update('tusuario', $values_update, ['id_user' => $id_user]);
}
} else {
if (password_hash($password, PASSWORD_BCRYPT) !== $local_user_pass) {
$values_update['password'] = password_hash($password, PASSWORD_BCRYPT);
$return = db_process_sql_update('tusuario', $values_update, ['id_user' => $id_user]);
}
} }
return $return; return $return;

25
pandora_console/include/functions_db.php
View File

@ -2530,3 +2530,28 @@ function db_unlock_tables()
return $result; return $result;
} }
/**
* Get column type. Example: 'varchar(60)'.
*
* @param string $table Table name.
* @param string $column Column name.
*
* @return array|boolean
*/
function db_get_column_type(string $table, string $column='')
{
$sql = sprintf(
'SELECT column_type FROM information_schema.columns WHERE table_name = "%s"',
$table
);
if (empty($column) === false) {
$sql .= sprintf(' AND column_name="%s"', $column);
}
$result = db_process_sql($sql);
return $result;
}