CoreLibs/development
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Backport new password interface to legacy classes

Browse Source
This commit is contained in:
Clemens Schwaighofer
2018-05-09 11:47:16 +09:00
parent 7b085f86f0
commit 85a327f45f
3 changed files with 97 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
www/libs/Class.Login.inc
View File

@@ -283,13 +283,25 @@ class login extends db_io
} elseif ((preg_match("/^\\$2(a|y)\\$/", $res['password']) && CRYPT_BLOWFISH != 1) || (preg_match("/^\\$1\\$/", $res['password']) && CRYPT_MD5 != 1) || (preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password']) && CRYPT_STD_DES != 1)) {
// this means password cannot be decrypted because of missing crypt methods
$this->login_error = 9999;
} elseif ((preg_match("/^\\$2(a|y)\\$/", $res['password']) || preg_match("/^\\$1\\$/", $res['password']) || preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password'])) && !$this->verifyCryptString($this->password, $res['password'])) {
} elseif ((preg_match("/^\\$2(a|y)\\$/", $res['password']) || preg_match("/^\\$1\\$/", $res['password']) || preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password'])) && preg_match("/\\$07\\$/", $res['password']) && !$this->verifyCryptString($this->password, $res['password'])) {
// check passwword as crypted, $2a$ or $2y$ is blowfish start, $1$ is MD5 start, $\w{12} is standard DES
// this is only for OLD $07$ password
$this->login_error = 1011;
} elseif (preg_match("/^\\$2y\\$/", $res['password']) && !preg_match("/\\$07\\$/", $res['password']) && !$this->passwordVerify($this->password, $res['password'])) {
// this is the new password hash methid, is only $2y$
$this->login_error = 1013;
} elseif (!preg_match("/^\\$2(a|y)\\$/", $res['password']) && !preg_match("/^\\$1\\$/", $res['password']) && !preg_match("/^\\$[0-9A-Za-z.]{12}$/", $res['password']) && $res['password'] != $this->password) {
// check old plain password, non case sensitive
$this->login_error = 1012;
} else {
// check if the current password is an invalid hash and do a rehash and set password
// $this->debug('LOGIN', 'Hash: '.$res['password'].' -> VERIFY: '.($this->passwordVerify($this->password, $res['password']) ? 'OK' : 'FAIL').' => HASH: '.($this->passwordRehashCheck($res['password']) ? 'NEW NEEDED' : 'OK'));
if ($this->passwordRehashCheck($res['password'])) {
$new_hash = $this->passwordSet($this->password);
// update password hash to new one now
$q = "UPDATE edit_user SET password = '".$this->dbEscapeString($new_hash)."' WHERE edit_user_id = ".$res['edit_user_id'];
$this->dbExec($q);
}
// normal user processing
// set class var and session var
$_SESSION["EUID"] = $this->euid = $res["edit_user_id"];