Merge branch 'ent-10101-comprobar-varchar60-antes-de-hacer-el-cambio-de-md5-sha' into 'develop'

Ent 10101 comprobar varchar60 antes de hacer el cambio de md5 sha

See merge request artica/pandorafms!5371
This commit is contained in:
Enrique Martin 2023-01-04 15:46:02 +00:00
commit 78c565cbc1
2 changed files with 90 additions and 69 deletions

View File

@ -148,67 +148,23 @@ function process_user_login_local($login, $pass, $api=false)
{
global $config, $mysql_cache;
// Connect to Database
switch ($config['dbtype']) {
case 'mysql':
if (!$api) {
$sql = sprintf(
"SELECT `id_user`, `password`
FROM `tusuario`
WHERE `id_user` = '%s' AND `not_login` = 0
AND `disabled` = 0",
$login
);
} else {
$sql = sprintf(
"SELECT `id_user`, `password`
FROM `tusuario`
WHERE `id_user` = '%s'
AND `disabled` = 0",
$login
);
}
break;
case 'postgresql':
if (!$api) {
$sql = sprintf(
'SELECT "id_user", "password"
FROM "tusuario"
WHERE "id_user" = \'%s\' AND "not_login" = 0
AND "disabled" = 0',
$login
);
} else {
$sql = sprintf(
'SELECT "id_user", "password"
FROM "tusuario"
WHERE "id_user" = \'%s\'
AND "disabled" = 0',
$login
);
}
break;
case 'oracle':
if (!$api) {
$sql = sprintf(
'SELECT id_user, password
FROM tusuario
WHERE id_user = \'%s\' AND not_login = 0
AND disabled = 0',
$login
);
} else {
$sql = sprintf(
'SELECT id_user, password
FROM tusuario
WHERE id_user = \'%s\'
AND disabled = 0',
$login
);
}
break;
// Connect to Database.
if (!$api) {
$sql = sprintf(
"SELECT `id_user`, `password`
FROM `tusuario`
WHERE `id_user` = '%s' AND `not_login` = 0
AND `disabled` = 0",
$login
);
} else {
$sql = sprintf(
"SELECT `id_user`, `password`
FROM `tusuario`
WHERE `id_user` = '%s'
AND `disabled` = 0",
$login
);
}
$row = db_get_row_sql($sql);
@ -666,8 +622,16 @@ function process_user_contact(string $id_user)
function create_user($id_user, $password, $user_info)
{
$values = $user_info;
$column_type = db_get_column_type('tusuario', 'password');
if (empty($column_type) === false && isset($column_type[0]['COLUMN_TYPE'])) {
$column_type = ($column_type[0]['COLUMN_TYPE'] === 'varchar(60)');
} else {
$column_type = false;
}
$values['id_user'] = $id_user;
$values['password'] = password_hash($password, PASSWORD_BCRYPT);
$values['password'] = ($column_type === false) ? md5($password) : password_hash($password, PASSWORD_BCRYPT);
$values['last_connect'] = 0;
$values['registered'] = get_system_time();
@ -775,9 +739,19 @@ function update_user_password(string $user, string $password_new)
return false;
}
$column_type = db_get_column_type('tusuario', 'password');
if (empty($column_type) === false && isset($column_type[0]['COLUMN_TYPE'])) {
$column_type = ($column_type[0]['COLUMN_TYPE'] === 'varchar(60)');
} else {
$column_type = false;
}
if (isset($config['auth']) === true && $config['auth'] === 'pandora') {
$sql = sprintf(
"UPDATE tusuario SET password = '".password_hash($password_new, PASSWORD_BCRYPT)."', last_pass_change = '".date('Y-m-d H:i:s', get_system_time())."' WHERE id_user = '".$user."'"
"UPDATE tusuario SET password = '%s', last_pass_change = '%s' WHERE id_user = '%s'",
($column_type === false) ? md5($password_new) : password_hash($password_new, PASSWORD_BCRYPT),
date('Y-m-d H:i:s', get_system_time()),
$user
);
$connection = mysql_connect_db(
@ -797,7 +771,7 @@ function update_user_password(string $user, string $password_new)
return db_process_sql_update(
'tusuario',
[
'password' => password_hash($password_new, PASSWORD_BCRYPT),
'password' => ($column_type === false) ? md5($password_new) : password_hash($password_new, PASSWORD_BCRYPT),
'last_pass_change' => date('Y/m/d H:i:s', get_system_time()),
],
['id_user' => $user]
@ -1061,7 +1035,14 @@ function create_user_and_permisions_ldap(
$values['id_user'] = $id_user;
if ($config['ldap_save_password'] || $config['ad_save_password']) {
$values['password'] = password_hash($password, PASSWORD_BCRYPT);
$column_type = db_get_column_type('tusuario', 'password');
if (empty($column_type) === false && isset($column_type[0]['COLUMN_TYPE'])) {
$column_type = ($column_type[0]['COLUMN_TYPE'] === 'varchar(60)');
} else {
$column_type = false;
}
$values['password'] = ($column_type === false) ? md5($password) : password_hash($password, PASSWORD_BCRYPT);
}
$values['last_connect'] = 0;
@ -1493,11 +1474,26 @@ function change_local_user_pass_ldap($id_user, $password)
$local_user_pass = db_get_value_filter('password', 'tusuario', ['id_user' => $id_user]);
$return = false;
if (password_hash($password, PASSWORD_BCRYPT) !== $local_user_pass) {
$values_update = [];
$values_update['password'] = password_hash($password, PASSWORD_BCRYPT);
$return = db_process_sql_update('tusuario', $values_update, ['id_user' => $id_user]);
$column_type = db_get_column_type('tusuario', 'password');
if (empty($column_type) === false && isset($column_type[0]['COLUMN_TYPE'])) {
$column_type = ($column_type[0]['COLUMN_TYPE'] === 'varchar(60)');
} else {
$column_type = false;
}
$values_update = [];
if ($column_type === false) {
if (md5($password) !== $local_user_pass) {
$values_update['password'] = md5($password);
$return = db_process_sql_update('tusuario', $values_update, ['id_user' => $id_user]);
}
} else {
if (password_hash($password, PASSWORD_BCRYPT) !== $local_user_pass) {
$values_update['password'] = password_hash($password, PASSWORD_BCRYPT);
$return = db_process_sql_update('tusuario', $values_update, ['id_user' => $id_user]);
}
}
return $return;

View File

@ -2530,3 +2530,28 @@ function db_unlock_tables()
return $result;
}
/**
* Get column type. Example: 'varchar(60)'.
*
* @param string $table Table name.
* @param string $column Column name.
*
* @return array|boolean
*/
function db_get_column_type(string $table, string $column='')
{
$sql = sprintf(
'SELECT column_type FROM information_schema.columns WHERE table_name = "%s"',
$table
);
if (empty($column) === false) {
$sql .= sprintf(' AND column_name="%s"', $column);
}
$result = db_process_sql($sql);
return $result;
}