[geeklog-cvs] geeklog: Initial checkin of password update
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Thu Feb 9 00:11:29 EST 2012
changeset 8488:99f332cec84c
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/99f332cec84c
user: vinny
date: Wed Feb 08 20:36:25 2012 -0700
description:
Initial checkin of password update
diffstat:
.hgignore | 1 +
language/english.php | 8 +-
language/english_utf-8.php | 8 +-
public_html/admin/configuration.php | 39 +++++
public_html/admin/configuration_validation.php | 8 +
public_html/admin/install/config-install.php | 5 +
public_html/admin/install/lib-upgrade.php | 1 +
public_html/admin/sectest.php | 3 +-
public_html/admin/user.php | 19 +-
public_html/docs/english/config.html | 19 ++
public_html/users.php | 5 +-
public_html/usersettings.php | 22 +--
sql/mssql_tableanddata.php | 1 +
sql/mysql_tableanddata.php | 5 +-
sql/pgsql_tableanddata.php | 5 +-
sql/updates/mssql_1.7.2_to_1.8.0.php | 3 +-
sql/updates/mssql_1.8.1_to_1.9.0.php | 11 +
sql/updates/mysql_1.7.2_to_1.8.0.php | 3 +-
sql/updates/mysql_1.8.1_to_1.9.0.php | 11 +
sql/updates/pgsql_1.7.2_to_1.8.0.php | 3 +-
sql/updates/pgsql_1.8.1_to_1.9.0.php | 11 +
system/classes/oauthhelper.class.php | 5 +-
system/classes/openidhelper.class.php | 4 +-
system/lib-security.php | 167 ++++++++++++++++++++++++-
system/lib-user.php | 34 +----
25 files changed, 323 insertions(+), 78 deletions(-)
diffs (truncated from 799 to 300 lines):
diff -r aded9302eef5 -r 99f332cec84c .hgignore
--- a/.hgignore Tue Jan 17 09:14:25 2012 -0500
+++ b/.hgignore Wed Feb 08 20:36:25 2012 -0700
@@ -12,6 +12,7 @@
system/pear/Text
system/pear/XML
system/pear/scripts
+system/pear/LICENSE
db-config.php
public_html/siteconfig.php
diff -r aded9302eef5 -r 99f332cec84c language/english.php
--- a/language/english.php Tue Jan 17 09:14:25 2012 -0500
+++ b/language/english.php Wed Feb 08 20:36:25 2012 -0700
@@ -1961,6 +1961,8 @@
'passwordspeedlimit' => "Password Speed Limit",
'login_attempts' => "Max. Login Attempts",
'login_speedlimit' => "Login Speed Limit",
+ 'pass_alg' => 'Password Hash Algorithm',
+ 'pass_stretch' => 'Hash Stretch Count',
'user_html' => "User HTML",
'admin_html' => "Admin HTML",
'advanced_html' => 'Additional HTML for Adv. Editor',
@@ -2059,7 +2061,8 @@
'fs_perm_block' => 'Block Default Permission',
'fs_webservices' => 'Webservices',
'fs_autotag_permissions' => 'Autotag Usage Permissions',
- 'fs_breadcrumbs' => 'Breadcrumbs'
+ 'fs_breadcrumbs' => 'Breadcrumbs',
+ 'fs_pass' => 'Password Settings'
);
$LANG_tab['Core'] = array(
@@ -2141,7 +2144,8 @@
25 => array('New Stories' => 'story', 'New Comments' => 'comment', 'New Trackbacks' => 'trackback', 'New Pingbacks' => 'pingback', 'New Users' => 'user'),
26 => array('G (General Audiences)' => 'G', 'PG (Parental Guidance)' => 'PG', 'R (Restricted)' => 'R', 'X (Explicit)' => 'X'),
27 => array('Hits (asc)' => 'hits|asc', 'Hits (desc)' => 'hits|desc', 'Date (asc)' => 'date|asc', 'Date (desc)' => 'date|desc', 'Title (asc)' => 'title|asc', 'Title (desc)' => 'title|desc', 'Author (asc)' => 'uid|asc', 'Author (desc)' => 'uid|desc'),
- 28 => array('No access' => 0, 'Use' => 2)
+ 28 => array('No access' => 0, 'Use' => 2),
+ 29 => array('md5' => 0, 'sha1' => 1, 'sha256' => 2, 'sha512' => 3, 'blowfish' => 4)
);
################################################################################
diff -r aded9302eef5 -r 99f332cec84c language/english_utf-8.php
--- a/language/english_utf-8.php Tue Jan 17 09:14:25 2012 -0500
+++ b/language/english_utf-8.php Wed Feb 08 20:36:25 2012 -0700
@@ -1961,6 +1961,8 @@
'passwordspeedlimit' => "Password Speed Limit",
'login_attempts' => "Max. Login Attempts",
'login_speedlimit' => "Login Speed Limit",
+ 'pass_alg' => 'Password Hash Algorithm',
+ 'pass_stretch' => 'Hash Stretch Count',
'user_html' => "User HTML",
'admin_html' => "Admin HTML",
'advanced_html' => 'Additional HTML for Adv. Editor',
@@ -2059,7 +2061,8 @@
'fs_perm_block' => 'Block Default Permission',
'fs_webservices' => 'Webservices',
'fs_autotag_permissions' => 'Autotag Usage Permissions',
- 'fs_breadcrumbs' => 'Breadcrumbs'
+ 'fs_breadcrumbs' => 'Breadcrumbs',
+ 'fs_pass' => 'Password Settings'
);
$LANG_tab['Core'] = array(
@@ -2141,7 +2144,8 @@
25 => array('New Stories' => 'story', 'New Comments' => 'comment', 'New Trackbacks' => 'trackback', 'New Pingbacks' => 'pingback', 'New Users' => 'user'),
26 => array('G (General Audiences)' => 'G', 'PG (Parental Guidance)' => 'PG', 'R (Restricted)' => 'R', 'X (Explicit)' => 'X'),
27 => array('Hits (asc)' => 'hits|asc', 'Hits (desc)' => 'hits|desc', 'Date (asc)' => 'date|asc', 'Date (desc)' => 'date|desc', 'Title (asc)' => 'title|asc', 'Title (desc)' => 'title|desc', 'Author (asc)' => 'uid|asc', 'Author (desc)' => 'uid|desc'),
- 28 => array('No access' => 0, 'Use' => 2)
+ 28 => array('No access' => 0, 'Use' => 2),
+ 29 => array('md5' => 0, 'sha1' => 1, 'sha256' => 2, 'sha512' => 3, 'blowfish' => 4)
);
################################################################################
diff -r aded9302eef5 -r 99f332cec84c public_html/admin/configuration.php
--- a/public_html/admin/configuration.php Tue Jan 17 09:14:25 2012 -0500
+++ b/public_html/admin/configuration.php Wed Feb 08 20:36:25 2012 -0700
@@ -435,6 +435,45 @@
return $ret;
}
+/**
+ * Custom validation rule for hash function
+ *
+ * @param string $rule String of rule name
+ * @param array $ruleParams Parameter of validation
+ * @return boolean Success
+ *
+ */
+function custom_validation_hash_function($rule, $ruleParams) {
+ $ret = false;
+
+ switch ($ruleParams[0]['pass_alg']) {
+ case HashFunction::md5:
+ if (function_exists('md5')) $ret = true;
+ break;
+
+ case HashFunction::sha1:
+ if (function_exists('sha1')) $ret = true;
+ break;
+
+ case HashFunction::sha256:
+ if (CRYPT_SHA256 == 1) $ret = true;
+ break;
+
+ case HashFunction::sha512:
+ if (CRYPT_SHA512 == 1) $ret = true;
+ break;
+
+ case HashFunction::blowfish:
+ if (CRYPT_BLOWFISH == 1) $ret = true;
+ break;
+
+ default:
+ $ret = false;
+ }
+
+ return $ret;
+}
+
// MAIN
$display = '';
diff -r aded9302eef5 -r 99f332cec84c public_html/admin/configuration_validation.php
--- a/public_html/admin/configuration_validation.php Tue Jan 17 09:14:25 2012 -0500
+++ b/public_html/admin/configuration_validation.php Wed Feb 08 20:36:25 2012 -0700
@@ -305,6 +305,14 @@
$_CONF_VALIDATE['Core']['login_attempts'] = array('rule' => 'numeric');
$_CONF_VALIDATE['Core']['login_speedlimit'] = array('rule' => 'numeric');
+/* Subgroup User and Submissions, Tab Login Settings, Fieldset Password */
+$_CONF_VALIDATE['Core']['pass_alg'] = array(
+ 'rule' => 'hash_function',
+ 'message' => "Unsupported hash function selected" /* FIXME */
+);
+$_CONF_VALIDATE['Core']['pass_stretch'] = array('rule' => array('comparison', '>', 0));
+
+
/* Subgroup Users and Submissions, Tab User Submission */
$_CONF_VALIDATE['Core']['usersubmission'] = array('rule' => 'boolean');
diff -r aded9302eef5 -r 99f332cec84c public_html/admin/install/config-install.php
--- a/public_html/admin/install/config-install.php Tue Jan 17 09:14:25 2012 -0500
+++ b/public_html/admin/install/config-install.php Wed Feb 08 20:36:25 2012 -0700
@@ -244,6 +244,11 @@
$c->add('login_attempts',3,'text',4,18,NULL,1690,TRUE, $me, 18);
$c->add('login_speedlimit',300,'text',4,18,NULL,1700,TRUE, $me, 18);
+ // password options
+ $c->add('fs_pass', NULL, 'fieldset', 4, 42, NULL, 0, TRUE, $me, 18);
+ $c->add('pass_alg', 1, 'select', 4, 42, 29, 800, TRUE, $me, 18);
+ $c->add('pass_stretch', 4096, 'text', 4, 42, NULL, 810, TRUE, $me, 18);
+
$c->add('tab_user_submission', NULL, 'tab', 4, 19, NULL, 0, TRUE, $me, 19);
$c->add('fs_user_submission', NULL, 'fieldset', 4, 19, NULL, 0, TRUE, $me, 19);
$c->add('usersubmission',0,'select',4,19,0,780,TRUE, $me, 19);
diff -r aded9302eef5 -r 99f332cec84c public_html/admin/install/lib-upgrade.php
--- a/public_html/admin/install/lib-upgrade.php Tue Jan 17 09:14:25 2012 -0500
+++ b/public_html/admin/install/lib-upgrade.php Wed Feb 08 20:36:25 2012 -0700
@@ -480,6 +480,7 @@
case '1.8.0':
// there were no database changes in 1.8.0
+
case '1.8.1':
require_once $_CONF['path'] . 'sql/updates/' . $_DB_dbms . '_1.8.1_to_1.9.0.php';
INST_updateDB($_SQL);
diff -r aded9302eef5 -r 99f332cec84c public_html/admin/sectest.php
--- a/public_html/admin/sectest.php Tue Jan 17 09:14:25 2012 -0500
+++ b/public_html/admin/sectest.php Wed Feb 08 20:36:25 2012 -0700
@@ -267,7 +267,8 @@
// check to see if any account still has 'password' as its password.
$pwdRoot = 0;
$pwdUser = 0;
- $result = DB_query("SELECT uid FROM {$_TABLES['users']} WHERE passwd='" . SEC_encryptPassword('password') . "'");
+ /* FIXME? the following will only work as long as the default admin password is stored in the DB using md5, no salt, and no (1) stretch */
+ $result = DB_query("SELECT uid FROM {$_TABLES['users']} WHERE passwd='" . SEC_encryptPassword('password', '', 0, 1) . "'");
$numPwd = DB_numRows($result);
if ($numPwd > 0) {
for ($i = 0; $i < $numPwd; $i++) {
diff -r aded9302eef5 -r 99f332cec84c public_html/admin/user.php
--- a/public_html/admin/user.php Tue Jan 17 09:14:25 2012 -0500
+++ b/public_html/admin/user.php Wed Feb 08 20:36:25 2012 -0700
@@ -14,6 +14,7 @@
// | Mark Limburg - mlimburg AT users DOT sourceforge DOT net |
// | Jason Whittenburg - jwhitten AT securitygeeks DOT com |
// | Dirk Haun - dirk AT haun-online DOT de |
+// | Vincent Furia - vmf AT abtech DOT org |
// +---------------------------------------------------------------------------+
// | |
// | This program is free software; you can redistribute it and/or |
@@ -571,21 +572,10 @@
}
}
- if (empty ($uid) || !empty ($passwd)) {
- $passwd = SEC_encryptPassword($passwd);
- } else {
- if (empty($service)) {
- $passwd = DB_getItem($_TABLES['users'], 'passwd', "uid = $uid");
- }
- }
-
if (empty ($uid)) {
if (empty ($passwd)) {
// no password? create one ...
- $passwd = rand ();
- $passwd = md5 ($passwd);
- $passwd = substr ($passwd, 1, 8);
- $passwd = SEC_encryptPassword($passwd);
+ $passwd = SEC_generateRandomPassword();
}
$uid = USER_createAccount ($username, $email, $passwd, $fullname,
@@ -621,7 +611,10 @@
}
$curphoto = addslashes ($curphoto);
- DB_query("UPDATE {$_TABLES['users']} SET username = '$username', fullname = '$fullname', passwd = '$passwd', email = '$email', homepage = '$homepage', photo = '$curphoto', status='$userstatus' WHERE uid = $uid");
+ DB_query("UPDATE {$_TABLES['users']} SET username = '$username', fullname = '$fullname', email = '$email', homepage = '$homepage', photo = '$curphoto', status='$userstatus' WHERE uid = $uid");
+ if (!empty($passwd)) {
+ SEC_updateUserPassword($passwd, $uid);
+ }
if ($_CONF['custom_registration'] AND (function_exists('CUSTOM_userSave'))) {
CUSTOM_userSave($uid);
}
diff -r aded9302eef5 -r 99f332cec84c public_html/docs/english/config.html
--- a/public_html/docs/english/config.html Tue Jan 17 09:14:25 2012 -0500
+++ b/public_html/docs/english/config.html Wed Feb 08 20:36:25 2012 -0700
@@ -916,6 +916,25 @@
<td valign="top">How many seconds have to pass before another login attempt
can be made after <code>$_CONF['login_attempts']</code> (see above) login
attempts have failed.</td></tr>
+<tr>
+ <td valign="top"><a name="desc_pass_alg">pass_alg</a></td>
+ <td valign="top">sha1</td>
+ <td valign="top">Hash algorithm used to generate password hashes. Options
+ include
+ <a href="http://en.wikipedia.org/wiki/Md5">md5</a>,
+ <a href="http://en.wikipedia.org/wiki/SHA-1">sha1</a>,
+ <a href="http://en.wikipedia.org/wiki/SHA-2">sha256</a>,
+ <a href="http://en.wikipedia.org/wiki/SHA-2">sha512</a>, and
+ <a href="http://en.wikipedia.org/wiki/Blowfish_(cipher)">blowfish</a>.
+ sha1 is recommended for maximum portability between PHP versions, blowfish
+ is considered the most secure</td></tr>
+<tr>
+ <td valign="top"><a name="desc_pass_stretch">pass_stretch</a></td>
+ <td valign="top">4096</td>
+ <td valign="top">The number of iterations of the hash algorithm that should
+ be applied to the password. Must be greater than 0. See the
+ <a href="http://en.wikipedia.org/wiki/Key_stretching">wikipedia article</a>
+ for more information.</td></tr>
</table>
<h3><a name="users_usersub">Users and Submissions: User Submission</a></h3>
diff -r aded9302eef5 -r 99f332cec84c public_html/users.php
--- a/public_html/users.php Tue Jan 17 09:14:25 2012 -0500
+++ b/public_html/users.php Wed Feb 08 20:36:25 2012 -0700
@@ -738,9 +738,8 @@
$valid = DB_count ($_TABLES['users'], array ('uid', 'pwrequestid'),
array ($uid, $reqid));
if ($valid == 1) {
- $passwd = SEC_encryptPassword($_POST['passwd']);
- DB_change ($_TABLES['users'], 'passwd', "$passwd",
- "uid", $uid);
+ SEC_updateUserPassword($_POST['passwd'], $uid);
+
DB_delete ($_TABLES['sessions'], 'uid', $uid);
DB_change ($_TABLES['users'], 'pwrequestid', "NULL",
'uid', $uid);
diff -r aded9302eef5 -r 99f332cec84c public_html/usersettings.php
--- a/public_html/usersettings.php Tue Jan 17 09:14:25 2012 -0500
+++ b/public_html/usersettings.php Wed Feb 08 20:36:25 2012 -0700
@@ -61,7 +61,7 @@
'username' => 'username.thtml',
'password' => 'password.thtml',
'current_password' => 'current_password.thtml',
- 'resynch' => 'resynch.thtml',
+ 'resynch' => 'resynch.thtml',
'deleteaccount' => 'deleteaccount.thtml'));
include ($_CONF['path_system'] . 'classes/navbar.class.php');
@@ -312,12 +312,9 @@
return COM_refresh ($_CONF['site_url'] . '/index.php');
}
- // to change the password, email address, or cookie timeout,
- // we need the user's current password
- $current_password = DB_getItem($_TABLES['users'], 'passwd',
- "uid = {$_USER['uid']}");
+ // verify the password
if (empty($_POST['old_passwd']) ||
- (SEC_encryptPassword($_POST['old_passwd']) != $current_password)) {
+ (SEC_encryptUserPassword($_POST['old_passwd'], $_USER['uid']) < 0)) {
return COM_refresh($_CONF['site_url']
. '/usersettings.php?msg=84');
}
@@ -923,12 +920,11 @@
// we need the user's current password
More information about the geeklog-cvs
mailing list