API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 24th, 2017
116
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.99 KB | None | 0 0
raw download clone embed print report
  1. diff --git a/include/common.php b/include/common.php
  2. index 1661f58..3af340a 100644
  3. --- a/include/common.php
  4. +++ b/include/common.php
  5. @@ -45,6 +45,16 @@ if (!defined('PUN'))
  6. exit;
  7. }
  8.  
  9. +// If the password config is missing, here are some default values
  10. +if (!isset($password_hash_options) || empty($password_hash_options))
  11. +{
  12. + $password_hash_options =
  13. + [
  14. + 'algorithm' => PASSWORD_DEFAULT,
  15. + 'cost' => 12
  16. + ];
  17. +}
  18. +
  19.  
  20. // Load the functions script
  21. require PUN_ROOT.'include/functions.php';
  22. diff --git a/include/functions.php b/include/functions.php
  23. index a014699..bfbc00a 100644
  24. --- a/include/functions.php
  25. +++ b/include/functions.php
  26. @@ -27,7 +27,7 @@ function check_cookie(&$pun_user)
  27. $now = time();
  28.  
  29. // If the cookie is set and it matches the correct pattern, then read the values from it
  30. - if (isset($_COOKIE[$cookie_name]) && preg_match('%^(\d+)\|([0-9a-fA-F]+)\|(\d+)\|([0-9a-fA-F]+)$%', $_COOKIE[$cookie_name], $matches))
  31. + if (isset($_COOKIE[$cookie_name]) && preg_match('%^(\d+)\|([^|]+)\|(\d+)\|([0-9a-fA-F]+)$%', $_COOKIE[$cookie_name], $matches))
  32. {
  33. $cookie = array(
  34. 'user_id' => intval($matches[1]),
  35. @@ -163,8 +163,11 @@ function authenticate_user($user, $password, $password_is_hash = false)
  36. $result = $db->query('SELECT u.*, g.*, o.logged, o.idle FROM '.$db->prefix.'users AS u INNER JOIN '.$db->prefix.'groups AS g ON g.g_id=u.group_id LEFT JOIN '.$db->prefix.'online AS o ON o.user_id=u.id WHERE '.(is_int($user) ? 'u.i
  37. $pun_user = $db->fetch_assoc($result);
  38.  
  39. - $is_password_authorized = pun_hash_equals($password, $pun_user['password']);
  40. - $is_hash_authorized = pun_hash_equals(pun_hash($password), $pun_user['password']);
  41. + $is_password_authorized = check_password($password, $pun_user);
  42. +
  43. + // The PHP password hash functions (i.e. bcrypt) donesn't support hash comparison directly.
  44. + // Not a real problem—in the source code, $password_is_hash is always false.
  45. + $is_hash_authorized = false; //pun_hash_equals(pun_hash($password), $pun_user['password']);
  46.  
  47. if (!isset($pun_user['id']) ||
  48. ($password_is_hash && !$is_password_authorized ||
  49. @@ -1209,6 +1212,91 @@ function check_csrf($token)
  50. }
  51.  
  52.  
  53. +
  54. +//
  55. +// Hashes a password.
  56. +// Never use pun_hash to hash passwords. Like, never.
  57. +//
  58. +function hash_password($plaintext_password)
  59. +{
  60. + global $password_hash_options;
  61. + return password_hash($plaintext_password, $password_hash_options['algorithm'], $password_hash_options);
  62. +}
  63. +
  64. +//
  65. +// Checks if the given password is correct for an user.
  66. +// This will also upgrade the password if needed on the fly, and update the hash in $user.
  67. +//
  68. +function check_password($plaintext_password, &$user)
  69. +{
  70. + if (empty($user['password'])) return false;
  71. +
  72. + global $password_hash_options;
  73. +
  74. + $authorized = false;
  75. + $need_rehash = false;
  76. +
  77. + // If there is a salt in the database we have upgraded from 1.3-legacy though haven't yet logged in
  78. + if (!empty($user['salt']))
  79. + {
  80. + if (pun_hash_equals(sha1($user['salt'].sha1($plaintext_password)), $user['password'])) // 1.3 used sha1(salt.sha1(pass))
  81. + {
  82. + $authorized = true;
  83. + $need_rehash = true;
  84. + }
  85. + }
  86. +
  87. + // It must be md5 from 1.2
  88. + else if (strlen($user['password']) == 32)
  89. + {
  90. + if (pun_hash_equals(md5($plaintext_password), $user['password']))
  91. + {
  92. + $authorized = true;
  93. + $need_rehash = true;
  94. + }
  95. + }
  96. +
  97. + // This must be SHA1 from the 1.4+ version
  98. + else if (strlen($user['password']) == 40)
  99. + {
  100. + if (pun_hash_equals($user['password'], pun_hash($plaintext_password)))
  101. + {
  102. + $authorized = true;
  103. + $need_rehash = true;
  104. + }
  105. + }
  106. +
  107. + // This is a good password hashed using password_hash from PHP 5.5+.
  108. + else
  109. + {
  110. + $authorized = password_verify($plaintext_password, $user['password']);
  111. + $need_rehash = password_needs_rehash($user['password'], $password_hash_options['algorithm'], $password_hash_options);
  112. + }
  113. +
  114. + // If the password should be re-hashed (and it was the good one, of course), we save a new one.
  115. + if ($authorized && $need_rehash)
  116. + {
  117. + update_password($plaintext_password, $user);
  118. + }
  119. +
  120. + return $authorized;
  121. +}
  122. +
  123. +//
  124. +// Updates the password of the given user.
  125. +// Updates the hash in $user too.
  126. +//
  127. +function update_password($plaintext_password, &$user)
  128. +{
  129. + $password_hash = hash_password($plaintext_password);
  130. +
  131. + global $db;
  132. + $db->query('UPDATE '.$db->prefix.'users SET password=\''.$db->escape($password_hash).'\''.((isset($user['salt']) && !empty($user['salt'])) ? ', salt=NULL' : '') . ' WHERE id='.$user['id']) or error('Unable to update user password'
  133. +
  134. + $user['password'] = $password_hash;
  135. +}
  136. +
  137. +
  138. //
  139. // Try to determine the correct remote IP-address
  140. //
  141. diff --git a/lang/French/mail_templates/activate_password.tpl b/lang/French/mail_templates/activate_password.tpl
  142. index 9a94c90..fc09206 100644
  143. --- a/lang/French/mail_templates/activate_password.tpl
  144. +++ b/lang/French/mail_templates/activate_password.tpl
  145. @@ -2,7 +2,7 @@ Subject: Demande de nouveau mot de passe
  146.  
  147. Bonjour <username>,
  148.  
  149. -Vous avez demandé un nouveau mot de passe associé à votre compte sur les forums de <base_url>. Si vous n'en avez pas fait la demande ou ne souhaitez finalement pas le modifier, veuillez ignorer ce message. Il ne sera changé que si vous v
  150. +Vous avez demandé un nouveau mot de passe associé à votre compte sur les forums de <base_url>. Si vous n'en avez pas fait la demande ou ne souhaitez finalement pas le modifier, veuillez ignorer ce message. Il ne sera changé que si vous v
  151. =======================================================================
  152. Votre nouveau mot de passe est : <new_password>
  153. =======================================================================
  154. @@ -10,6 +10,8 @@ Votre nouveau mot de passe est : <new_password>
  155. Afin de modifier votre mot de passe, merci de vous rendre à la page suivante :
  156. <activation_url>
  157.  
  158. ---
  159. +Nous vous recommandons vivement de changer ce nouveau mot de passe (dans « Mon profil », « Changer de mot de passe ») et de supprimer ce courriel, pour des raisons de sécurité.
  160. +
  161. +--
  162. <board_mailer>
  163. -(Veuillez ne pas répondre à ce message. Merci !)
  164. \ No newline at end of file
  165. +(Veuillez ne pas répondre à ce message. Merci !)
  166. diff --git a/lang/French/mail_templates/welcome.tpl b/lang/French/mail_templates/welcome.tpl
  167. index ec67f0b..24377a3 100644
  168. --- a/lang/French/mail_templates/welcome.tpl
  169. +++ b/lang/French/mail_templates/welcome.tpl
  170. @@ -8,6 +8,8 @@ Mot de passe : <password>
  171.  
  172. Veuillez vous rendre à <login_url> pour activer votre compte.
  173.  
  174. ---
  175. +Nous vous recommandons vivement de changer le mot de passe qui a été généré (dans « Mon profil », « Changer de mot de passe ») par un mot de passe que vous seul(e) connaissez, et de supprimer ce courriel, pour des raisons de sécurité.
  176. +
  177. +--
  178. <board_mailer>
  179. -(Veuillez ne pas répondre à ce message. Merci !)
  180. \ No newline at end of file
  181. +(Veuillez ne pas répondre à ce message. Merci !)
  182. diff --git a/login.php b/login.php
  183. index 2d0aa80..c4d7c86 100644
  184. --- a/login.php
  185. +++ b/login.php
  186. @@ -32,38 +32,7 @@ if (isset($_POST['form_sent']) && $action == 'in')
  187. $result = $db->query('SELECT * FROM '.$db->prefix.'users WHERE '.$username_sql) or error('Unable to fetch user info', __FILE__, __LINE__, $db->error());
  188. $cur_user = $db->fetch_assoc($result);
  189.  
  190. - $authorized = false;
  191. -
  192. - if (!empty($cur_user['password']))
  193. - {
  194. - $form_password_hash = pun_hash($form_password); // Will result in a SHA-1 hash
  195. -
  196. - // If there is a salt in the database we have upgraded from 1.3-legacy though haven't yet logged in
  197. - if (!empty($cur_user['salt']))
  198. - {
  199. - $is_salt_authorized = pun_hash_equals(sha1($cur_user['salt'].sha1($form_password)), $cur_user['password']);
  200. - if ($is_salt_authorized) // 1.3 used sha1(salt.sha1(pass))
  201. - {
  202. - $authorized = true;
  203. -
  204. - $db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\', salt=NULL WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
  205. - }
  206. - }
  207. - // If the length isn't 40 then the password isn't using sha1, so it must be md5 from 1.2
  208. - else if (strlen($cur_user['password']) != 40)
  209. - {
  210. - $is_md5_authorized = pun_hash_equals(md5($form_password), $cur_user['password']);
  211. - if ($is_md5_authorized)
  212. - {
  213. - $authorized = true;
  214. -
  215. - $db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\' WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
  216. - }
  217. - }
  218. - // Otherwise we should have a normal sha1 password
  219. - else
  220. - $authorized = pun_hash_equals($cur_user['password'], $form_password_hash);
  221. - }
  222. + $authorized = check_password($form_password, $cur_user);
  223.  
  224. if (!$authorized)
  225. $errors[] = $lang_login['Wrong user/pass'];
  226. @@ -89,7 +58,7 @@ if (isset($_POST['form_sent']) && $action == 'in')
  227. $db->query('DELETE FROM '.$db->prefix.'online WHERE ident=\''.$db->escape(get_remote_address()).'\'') or error('Unable to delete from online list', __FILE__, __LINE__, $db->error());
  228.  
  229. $expire = ($save_pass == '1') ? time() + 1209600 : time() + $pun_config['o_timeout_visit'];
  230. - pun_setcookie($cur_user['id'], $form_password_hash, $expire);
  231. + pun_setcookie($cur_user['id'], $cur_user['password'], $expire);
  232.  
  233. // Reset tracked topics
  234. set_tracked_topics(null);
  235. @@ -175,7 +144,7 @@ else if ($action == 'forget' || $action == 'forget_2')
  236. $new_password = random_pass(12);
  237. $new_password_key = random_pass(8);
  238.  
  239. - $db->query('UPDATE '.$db->prefix.'users SET activate_string=\''.pun_hash($new_password).'\', activate_key=\''.$new_password_key.'\', last_email_sent = '.time().' WHERE id='.$cur_hit['id']) or error(
  240. + $db->query('UPDATE '.$db->prefix.'users SET activate_string=\''.hash_password($new_password).'\', activate_key=\''.$new_password_key.'\', last_email_sent = '.time().' WHERE id='.$cur_hit['id']) or e
  241.  
  242. // Do the user specific replacements to the template
  243. $cur_mail_message = str_replace('<username>', $cur_hit['username'], $mail_message);
  244. diff --git a/profile.php b/profile.php
  245. index ee0e3c8..c3df5df 100644
  246. --- a/profile.php
  247. +++ b/profile.php
  248. @@ -96,25 +96,15 @@ if ($action == 'change_pass')
  249. $result = $db->query('SELECT * FROM '.$db->prefix.'users WHERE id='.$id) or error('Unable to fetch password', __FILE__, __LINE__, $db->error());
  250. $cur_user = $db->fetch_assoc($result);
  251.  
  252. - $authorized = false;
  253. -
  254. - if (!empty($cur_user['password']))
  255. - {
  256. - $old_password_hash = pun_hash($old_password);
  257. -
  258. - if ($cur_user['password'] == $old_password_hash || $pun_user['is_admmod'])
  259. - $authorized = true;
  260. - }
  261. + $authorized = $pun_user['is_admmod'] || check_password($old_password, $cur_user);
  262.  
  263. if (!$authorized)
  264. message($lang_profile['Wrong pass']);
  265.  
  266. - $new_password_hash = pun_hash($new_password1);
  267. -
  268. - $db->query('UPDATE '.$db->prefix.'users SET password=\''.$new_password_hash.'\''.(!empty($cur_user['salt']) ? ', salt=NULL' : '').' WHERE id='.$id) or error('Unable to update password', __FILE__, __LINE__, $db->error());
  269. + update_password($new_password1, $cur_user);
  270.  
  271. if ($pun_user['id'] == $id)
  272. - pun_setcookie($pun_user['id'], $new_password_hash, time() + $pun_config['o_timeout_visit']);
  273. + pun_setcookie($pun_user['id'], $cur_user['password'], time() + $pun_config['o_timeout_visit']);
  274.  
  275. redirect('profile.php?section=essentials&id='.$id, $lang_profile['Pass updated redirect']);
  276. }
  277. @@ -193,7 +183,7 @@ else if ($action == 'change_email')
  278. }
  279. else if (isset($_POST['form_sent']))
  280. {
  281. - if (pun_hash($_POST['req_password']) !== $pun_user['password'])
  282. + if (!check_password($_POST['req_password'], $pun_user))
  283. message($lang_profile['Wrong pass']);
  284.  
  285. // Make sure they got here from the site
  286. diff --git a/register.php b/register.php
  287. index f7a0bbc..e433d73 100644
  288. --- a/register.php
  289. +++ b/register.php
  290. @@ -176,10 +176,11 @@ if (isset($_POST['form_sent']))
  291. $now = time();
  292.  
  293. $intial_group_id = ($pun_config['o_regs_verify'] == '0') ? $pun_config['o_default_user_group'] : PUN_UNVERIFIED;
  294. - $password_hash = pun_hash($password1);
  295. + $password_hash = hash_password($password1);
  296.  
  297. // Add the user
  298. $db->query('INSERT INTO '.$db->prefix.'users (username, group_id, password, email, email_setting, timezone, dst, language, style, registered, registration_ip, last_visit) VALUES(\''.$db->escape($username).'\', '.$intial_gr
  299. + //'
  300. $new_uid = $db->insert_id();
  301.  
  302. if ($pun_config['o_regs_verify'] == '0')
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!