tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

changed user password hashing

This commit is contained in:
alejandro.campos@artica.es 2022-12-15 13:24:51 +01:00
parent f6b4631b50
commit 4ea10b5a5b
3 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pandora_console/extras/mr/60.sql
View File

@ -8,4 +8,6 @@ ALTER TABLE `tagent_custom_fields` ADD `is_link_enabled` TINYINT(1) NOT NULL DEF
ALTER TABLE `tevent_filter` ADD COLUMN `owner_user` TEXT; ALTER TABLE `tevent_filter` ADD COLUMN `owner_user` TEXT;
ALTER TABLE `tevent_filter` ADD COLUMN `not_search` INT NOT NULL DEFAULT 0; ALTER TABLE `tevent_filter` ADD COLUMN `not_search` INT NOT NULL DEFAULT 0;
ALTER TABLE `tusuario` MODIFY COLUMN `password` VARCHAR(60) DEFAULT NULL;
COMMIT; COMMIT;

20
pandora_console/include/auth/mysql.php
View File

@ -213,10 +213,16 @@ function process_user_login_local($login, $pass, $api=false)
$row = db_get_row_sql($sql); $row = db_get_row_sql($sql);
// Check that row exists, that password is not empty and that password is the same hash // Perform password check whether it is MD5-hashed (old hashing) or Bcrypt-hashed.
if ($row !== false && $row['password'] !== md5('') if (strlen($row['password']) === 32) {
&& $row['password'] == md5($pass) // MD5.
) { $credentials_check = $row !== false && $row['password'] !== md5('') && $row['password'] == md5($pass);
} else {
// Bcrypt.
$credentials_check = password_verify($pass, $row['password']);
}
if ($credentials_check === true) {
// Login OK // Login OK
// Nick could be uppercase or lowercase (select in MySQL // Nick could be uppercase or lowercase (select in MySQL
// is not case sensitive) // is not case sensitive)
@ -656,7 +662,7 @@ function create_user($id_user, $password, $user_info)
{ {
$values = $user_info; $values = $user_info;
$values['id_user'] = $id_user; $values['id_user'] = $id_user;
$values['password'] = md5($password); $values['password'] = password_hash($password, PASSWORD_BCRYPT);
$values['last_connect'] = 0; $values['last_connect'] = 0;
$values['registered'] = get_system_time(); $values['registered'] = get_system_time();
@ -766,7 +772,7 @@ function update_user_password(string $user, string $password_new)
if (isset($config['auth']) === true && $config['auth'] === 'pandora') { if (isset($config['auth']) === true && $config['auth'] === 'pandora') {
$sql = sprintf( $sql = sprintf(
"UPDATE tusuario SET password = '".md5($password_new)."', last_pass_change = '".date('Y-m-d H:i:s', get_system_time())."' WHERE id_user = '".$user."'" "UPDATE tusuario SET password = '".password_hash($password_new, PASSWORD_BCRYPT)."', last_pass_change = '".date('Y-m-d H:i:s', get_system_time())."' WHERE id_user = '".$user."'"
); );
$connection = mysql_connect_db( $connection = mysql_connect_db(
@ -786,7 +792,7 @@ function update_user_password(string $user, string $password_new)
return db_process_sql_update( return db_process_sql_update(
'tusuario', 'tusuario',
[ [
'password' => md5($password_new), 'password' => password_hash($password_new, PASSWORD_BCRYPT),
'last_pass_change' => date('Y/m/d H:i:s', get_system_time()), 'last_pass_change' => date('Y/m/d H:i:s', get_system_time()),
], ],
['id_user' => $user] ['id_user' => $user]

2
pandora_console/pandoradb.sql
View File

@ -1275,7 +1275,7 @@ CREATE TABLE IF NOT EXISTS `tusuario` (
`firstname` VARCHAR(255) NOT NULL, `firstname` VARCHAR(255) NOT NULL,
`lastname` VARCHAR(255) NOT NULL, `lastname` VARCHAR(255) NOT NULL,
`middlename` VARCHAR(255) NOT NULL, `middlename` VARCHAR(255) NOT NULL,
`password` VARCHAR(45) DEFAULT NULL, `password` VARCHAR(60) DEFAULT NULL,
`comments` VARCHAR(200) DEFAULT NULL, `comments` VARCHAR(200) DEFAULT NULL,
`last_connect` BIGINT NOT NULL DEFAULT 0, `last_connect` BIGINT NOT NULL DEFAULT 0,
`registered` BIGINT NOT NULL DEFAULT 0, `registered` BIGINT NOT NULL DEFAULT 0,