[geeklog-cvs] geeklog: Merged password update into head (feature request #0001...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Sun Feb 19 13:07:44 EST 2012
changeset 8494:0adb8d9f8853
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/0adb8d9f8853
user: vinny
date: Sun Feb 19 11:07:34 2012 -0700
description:
Merged password update into head (feature request #0001384)
diffstat:
.hgignore | 1 +
language/english.php | 13 +-
language/english_utf-8.php | 13 +-
public_html/admin/configuration.php | 39 ++++
public_html/admin/configuration_validation.php | 9 +
public_html/admin/install/config-install.php | 5 +
public_html/admin/install/lib-upgrade.php | 1 +
public_html/admin/sectest.php | 25 +--
public_html/admin/user.php | 19 +-
public_html/docs/english/config.html | 19 ++
public_html/users.php | 5 +-
public_html/usersettings.php | 22 +-
sql/mssql_tableanddata.php | 5 +-
sql/mysql_tableanddata.php | 5 +-
sql/pgsql_tableanddata.php | 5 +-
sql/updates/mssql_1.7.2_to_1.8.0.php | 3 +-
sql/updates/mssql_1.8.1_to_1.9.0.php | 11 +
sql/updates/mysql_1.7.2_to_1.8.0.php | 3 +-
sql/updates/mysql_1.8.1_to_1.9.0.php | 11 +
sql/updates/pgsql_1.7.2_to_1.8.0.php | 3 +-
sql/updates/pgsql_1.8.1_to_1.9.0.php | 11 +
system/classes/oauthhelper.class.php | 5 +-
system/classes/openidhelper.class.php | 4 +-
system/lib-security.php | 219 +++++++++++++++++++++++-
system/lib-user.php | 34 +---
25 files changed, 382 insertions(+), 108 deletions(-)
diffs (truncated from 924 to 300 lines):
diff -r 4f10e306bb9b -r 0adb8d9f8853 .hgignore
--- a/.hgignore Sat Feb 11 21:13:07 2012 +0100
+++ b/.hgignore Sun Feb 19 11:07:34 2012 -0700
@@ -12,6 +12,7 @@
system/pear/Text
system/pear/XML
system/pear/scripts
+system/pear/LICENSE
db-config.php
public_html/siteconfig.php
diff -r 4f10e306bb9b -r 0adb8d9f8853 language/english.php
--- a/language/english.php Sat Feb 11 21:13:07 2012 +0100
+++ b/language/english.php Sun Feb 19 11:07:34 2012 -0700
@@ -1587,7 +1587,7 @@
'remove_inst' => 'You should really remove the install directory %s once you have your site up and running without any errors.',
'remove_inst2' => 'Keeping it around would allow malicious users the ability to destroy your current install, take over your site, or retrieve sensitive information.',
'inst_removed' => 'Good! You seem to have removed the install directory already.',
- 'fix_password' => 'You still have not changed the <strong>default password</strong> from "password" on %s Root user account(s).',
+ 'fix_password' => 'You still have not changed the <strong>default password</strong> from "password" on the default Admin user account.',
'password_okay' => 'Good! You seem to have changed the default account password already.'
);
@@ -1963,6 +1963,8 @@
'passwordspeedlimit' => "Password Speed Limit",
'login_attempts' => "Max. Login Attempts",
'login_speedlimit' => "Login Speed Limit",
+ 'pass_alg' => 'Password Hash Algorithm',
+ 'pass_stretch' => 'Hash Stretch Count',
'user_html' => "User HTML",
'admin_html' => "Admin HTML",
'advanced_html' => 'Additional HTML for Adv. Editor',
@@ -2062,7 +2064,8 @@
'fs_perm_block' => 'Block Default Permission',
'fs_webservices' => 'Webservices',
'fs_autotag_permissions' => 'Autotag Usage Permissions',
- 'fs_breadcrumbs' => 'Breadcrumbs'
+ 'fs_breadcrumbs' => 'Breadcrumbs',
+ 'fs_pass' => 'Password Settings'
);
$LANG_tab['Core'] = array(
@@ -2144,7 +2147,8 @@
25 => array('New Stories' => 'story', 'New Comments' => 'comment', 'New Trackbacks' => 'trackback', 'New Pingbacks' => 'pingback', 'New Users' => 'user'),
26 => array('G (General Audiences)' => 'G', 'PG (Parental Guidance)' => 'PG', 'R (Restricted)' => 'R', 'X (Explicit)' => 'X'),
27 => array('Hits (asc)' => 'hits|asc', 'Hits (desc)' => 'hits|desc', 'Date (asc)' => 'date|asc', 'Date (desc)' => 'date|desc', 'Title (asc)' => 'title|asc', 'Title (desc)' => 'title|desc', 'Author (asc)' => 'uid|asc', 'Author (desc)' => 'uid|desc'),
- 28 => array('No access' => 0, 'Use' => 2)
+ 28 => array('No access' => 0, 'Use' => 2),
+ 29 => array('md5' => 0, 'sha1' => 1, 'sha256' => 2, 'sha512' => 3, 'blowfish' => 4)
);
################################################################################
@@ -2193,7 +2197,8 @@
'directory where the binaries from the Netpbm package are kept',
'language' => 'Language file does not exist',
'timezone' => 'Invalid timezone',
- 'single_char' => 'This field must be a single character'
+ 'single_char' => 'This field must be a single character',
+ 'hash' => 'This field must be a hash function supported by your version of PHP'
);
?>
diff -r 4f10e306bb9b -r 0adb8d9f8853 language/english_utf-8.php
--- a/language/english_utf-8.php Sat Feb 11 21:13:07 2012 +0100
+++ b/language/english_utf-8.php Sun Feb 19 11:07:34 2012 -0700
@@ -1587,7 +1587,7 @@
'remove_inst' => 'You should really remove the install directory %s once you have your site up and running without any errors.',
'remove_inst2' => 'Keeping it around would allow malicious users the ability to destroy your current install, take over your site, or retrieve sensitive information.',
'inst_removed' => 'Good! You seem to have removed the install directory already.',
- 'fix_password' => 'You still have not changed the <strong>default password</strong> from "password" on %s Root user account(s).',
+ 'fix_password' => 'You still have not changed the <strong>default password</strong> from "password" on the default Admin user account.',
'password_okay' => 'Good! You seem to have changed the default account password already.'
);
@@ -1963,6 +1963,8 @@
'passwordspeedlimit' => "Password Speed Limit",
'login_attempts' => "Max. Login Attempts",
'login_speedlimit' => "Login Speed Limit",
+ 'pass_alg' => 'Password Hash Algorithm',
+ 'pass_stretch' => 'Hash Stretch Count',
'user_html' => "User HTML",
'admin_html' => "Admin HTML",
'advanced_html' => 'Additional HTML for Adv. Editor',
@@ -2062,7 +2064,8 @@
'fs_perm_block' => 'Block Default Permission',
'fs_webservices' => 'Webservices',
'fs_autotag_permissions' => 'Autotag Usage Permissions',
- 'fs_breadcrumbs' => 'Breadcrumbs'
+ 'fs_breadcrumbs' => 'Breadcrumbs',
+ 'fs_pass' => 'Password Settings'
);
$LANG_tab['Core'] = array(
@@ -2144,7 +2147,8 @@
25 => array('New Stories' => 'story', 'New Comments' => 'comment', 'New Trackbacks' => 'trackback', 'New Pingbacks' => 'pingback', 'New Users' => 'user'),
26 => array('G (General Audiences)' => 'G', 'PG (Parental Guidance)' => 'PG', 'R (Restricted)' => 'R', 'X (Explicit)' => 'X'),
27 => array('Hits (asc)' => 'hits|asc', 'Hits (desc)' => 'hits|desc', 'Date (asc)' => 'date|asc', 'Date (desc)' => 'date|desc', 'Title (asc)' => 'title|asc', 'Title (desc)' => 'title|desc', 'Author (asc)' => 'uid|asc', 'Author (desc)' => 'uid|desc'),
- 28 => array('No access' => 0, 'Use' => 2)
+ 28 => array('No access' => 0, 'Use' => 2),
+ 29 => array('md5' => 0, 'sha1' => 1, 'sha256' => 2, 'sha512' => 3, 'blowfish' => 4)
);
################################################################################
@@ -2193,7 +2197,8 @@
'directory where the binaries from the Netpbm package are kept',
'language' => 'Language file does not exist',
'timezone' => 'Invalid timezone',
- 'single_char' => 'This field must be a single character'
+ 'single_char' => 'This field must be a single character',
+ 'hash' => 'This field must be a hash function supported by your version of PHP'
);
?>
diff -r 4f10e306bb9b -r 0adb8d9f8853 public_html/admin/configuration.php
--- a/public_html/admin/configuration.php Sat Feb 11 21:13:07 2012 +0100
+++ b/public_html/admin/configuration.php Sun Feb 19 11:07:34 2012 -0700
@@ -435,6 +435,45 @@
return $ret;
}
+/**
+ * Custom validation rule for hash function
+ *
+ * @param string $rule String of rule name
+ * @param array $ruleParams Parameter of validation
+ * @return boolean Success
+ *
+ */
+function custom_validation_hash_function($rule, $ruleParams) {
+ $ret = false;
+
+ switch ($ruleParams[0]['pass_alg']) {
+ case HashFunction::md5:
+ if (function_exists('md5')) $ret = true;
+ break;
+
+ case HashFunction::sha1:
+ if (function_exists('sha1')) $ret = true;
+ break;
+
+ case HashFunction::sha256:
+ if (CRYPT_SHA256 == 1) $ret = true;
+ break;
+
+ case HashFunction::sha512:
+ if (CRYPT_SHA512 == 1) $ret = true;
+ break;
+
+ case HashFunction::blowfish:
+ if (CRYPT_BLOWFISH == 1) $ret = true;
+ break;
+
+ default:
+ $ret = false;
+ }
+
+ return $ret;
+}
+
// MAIN
$display = '';
diff -r 4f10e306bb9b -r 0adb8d9f8853 public_html/admin/configuration_validation.php
--- a/public_html/admin/configuration_validation.php Sat Feb 11 21:13:07 2012 +0100
+++ b/public_html/admin/configuration_validation.php Sun Feb 19 11:07:34 2012 -0700
@@ -305,6 +305,15 @@
$_CONF_VALIDATE['Core']['login_attempts'] = array('rule' => 'numeric');
$_CONF_VALIDATE['Core']['login_speedlimit'] = array('rule' => 'numeric');
+/* Subgroup User and Submissions, Tab Login Settings, Fieldset Password */
+$_CONF_VALIDATE['Core']['pass_alg'] = array(
+ 'rule' => 'hash_function',
+ 'message' => isset($LANG_VALIDATION['hash']) ?
+ $LANG_VALIDATION['hash'] : $LANG_VALIDATION['default']
+);
+$_CONF_VALIDATE['Core']['pass_stretch'] = array('rule' => array('comparison', '>', 0));
+
+
/* Subgroup Users and Submissions, Tab User Submission */
$_CONF_VALIDATE['Core']['usersubmission'] = array('rule' => 'boolean');
diff -r 4f10e306bb9b -r 0adb8d9f8853 public_html/admin/install/config-install.php
--- a/public_html/admin/install/config-install.php Sat Feb 11 21:13:07 2012 +0100
+++ b/public_html/admin/install/config-install.php Sun Feb 19 11:07:34 2012 -0700
@@ -246,6 +246,11 @@
$c->add('login_attempts',3,'text',4,18,NULL,1690,TRUE, $me, 18);
$c->add('login_speedlimit',300,'text',4,18,NULL,1700,TRUE, $me, 18);
+ // password options
+ $c->add('fs_pass', NULL, 'fieldset', 4, 42, NULL, 0, TRUE, $me, 18);
+ $c->add('pass_alg', 1, 'select', 4, 42, 29, 800, TRUE, $me, 18);
+ $c->add('pass_stretch', 4096, 'text', 4, 42, NULL, 810, TRUE, $me, 18);
+
$c->add('tab_user_submission', NULL, 'tab', 4, 19, NULL, 0, TRUE, $me, 19);
$c->add('fs_user_submission', NULL, 'fieldset', 4, 19, NULL, 0, TRUE, $me, 19);
$c->add('usersubmission',0,'select',4,19,0,780,TRUE, $me, 19);
diff -r 4f10e306bb9b -r 0adb8d9f8853 public_html/admin/install/lib-upgrade.php
--- a/public_html/admin/install/lib-upgrade.php Sat Feb 11 21:13:07 2012 +0100
+++ b/public_html/admin/install/lib-upgrade.php Sun Feb 19 11:07:34 2012 -0700
@@ -480,6 +480,7 @@
case '1.8.0':
// there were no database changes in 1.8.0
+
case '1.8.1':
require_once $_CONF['path'] . 'sql/updates/' . $_DB_dbms . '_1.8.1_to_1.9.0.php';
INST_updateDB($_SQL);
diff -r 4f10e306bb9b -r 0adb8d9f8853 public_html/admin/sectest.php
--- a/public_html/admin/sectest.php Sat Feb 11 21:13:07 2012 +0100
+++ b/public_html/admin/sectest.php Sun Feb 19 11:07:34 2012 -0700
@@ -250,10 +250,7 @@
}
/**
-* Check for accounts that still use the default password
-*
-* NOTE: If one of our users is also using "password" as their password, this
-* test will also detect that, as it checks all accounts.
+* Check if the Admin account is still using the default password
*
* @return string text explaining the result of the test
*
@@ -264,24 +261,8 @@
$retval = '';
- // check to see if any account still has 'password' as its password.
- $pwdRoot = 0;
- $pwdUser = 0;
- $result = DB_query("SELECT uid FROM {$_TABLES['users']} WHERE passwd='" . SEC_encryptPassword('password') . "'");
- $numPwd = DB_numRows($result);
- if ($numPwd > 0) {
- for ($i = 0; $i < $numPwd; $i++) {
- list($uid) = DB_fetchArray($result);
- if (SEC_inGroup('Root', $uid)) {
- $pwdRoot++;
- } else {
- $pwdUser++;
- }
- }
- }
- if ($pwdRoot > 0) {
- $retval .= '<li>' . sprintf($LANG_SECTEST['fix_password'], $pwdRoot)
- . '</li>';
+ if (SEC_encryptUserPassword('password', 2) == 0) {
+ $retval .= '<li>' . $LANG_SECTEST['fix_password'] . '</li>';
$failed_tests++;
} else {
$retval .= '<li>' . $LANG_SECTEST['password_okay'] . '</li>';
diff -r 4f10e306bb9b -r 0adb8d9f8853 public_html/admin/user.php
--- a/public_html/admin/user.php Sat Feb 11 21:13:07 2012 +0100
+++ b/public_html/admin/user.php Sun Feb 19 11:07:34 2012 -0700
@@ -14,6 +14,7 @@
// | Mark Limburg - mlimburg AT users DOT sourceforge DOT net |
// | Jason Whittenburg - jwhitten AT securitygeeks DOT com |
// | Dirk Haun - dirk AT haun-online DOT de |
+// | Vincent Furia - vmf AT abtech DOT org |
// +---------------------------------------------------------------------------+
// | |
// | This program is free software; you can redistribute it and/or |
@@ -571,21 +572,10 @@
}
}
- if (empty ($uid) || !empty ($passwd)) {
- $passwd = SEC_encryptPassword($passwd);
- } else {
- if (empty($service)) {
- $passwd = DB_getItem($_TABLES['users'], 'passwd', "uid = $uid");
- }
- }
-
if (empty ($uid)) {
if (empty ($passwd)) {
// no password? create one ...
- $passwd = rand ();
- $passwd = md5 ($passwd);
- $passwd = substr ($passwd, 1, 8);
- $passwd = SEC_encryptPassword($passwd);
+ $passwd = SEC_generateRandomPassword();
}
$uid = USER_createAccount ($username, $email, $passwd, $fullname,
@@ -621,7 +611,10 @@
}
$curphoto = addslashes ($curphoto);
- DB_query("UPDATE {$_TABLES['users']} SET username = '$username', fullname = '$fullname', passwd = '$passwd', email = '$email', homepage = '$homepage', photo = '$curphoto', status='$userstatus' WHERE uid = $uid");
+ DB_query("UPDATE {$_TABLES['users']} SET username = '$username', fullname = '$fullname', email = '$email', homepage = '$homepage', photo = '$curphoto', status='$userstatus' WHERE uid = $uid");
+ if (!empty($passwd)) {
+ SEC_updateUserPassword($passwd, $uid);
+ }
if ($_CONF['custom_registration'] AND (function_exists('CUSTOM_userSave'))) {
CUSTOM_userSave($uid);
}
diff -r 4f10e306bb9b -r 0adb8d9f8853 public_html/docs/english/config.html
--- a/public_html/docs/english/config.html Sat Feb 11 21:13:07 2012 +0100
+++ b/public_html/docs/english/config.html Sun Feb 19 11:07:34 2012 -0700
@@ -923,6 +923,25 @@
<td valign="top">How many seconds have to pass before another login attempt
More information about the geeklog-cvs
mailing list