Skip to content
Snippets Groups Projects
Commit a7a861b2 authored by Frank Karlitschek's avatar Frank Karlitschek
Browse files

backport the password salting fix. 

a salt is generated during setup and used to salt the user password hases in the database backend
parent 8c7fa15a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
config/config.sample.php
+ 1
0
View file @ a7a861b2
...@@ -29,6 +29,7 @@ $CONFIG = array( ...@@ -29,6 +29,7 @@ $CONFIG = array(
"log_type" => "", "log_type" => "",
"logfile" => "", "logfile" => "",
"loglevel" => "", "loglevel" => "",
"passwordsalt" => "",
// "datadirectory" => "" // "datadirectory" => ""
); );
?> ?>
lib/setup.php
+ 4
0
View file @ a7a861b2
...@@ -73,6 +73,10 @@ class OC_Setup { ...@@ -73,6 +73,10 @@ class OC_Setup {
$dbtype='sqlite3'; $dbtype='sqlite3';
} }
//generate a random salt that is used to salt the local user passwords
$salt=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
OC_Config::setValue('passwordsalt', $salt);
//write the config file //write the config file
OC_Config::setValue('datadirectory', $datadir); OC_Config::setValue('datadirectory', $datadir);
OC_Config::setValue('dbtype', $dbtype); OC_Config::setValue('dbtype', $dbtype);
......
lib/user/database.php
+ 3
3
View file @ a7a861b2
...@@ -69,7 +69,7 @@ class OC_User_Database extends OC_User_Backend { ...@@ -69,7 +69,7 @@ class OC_User_Database extends OC_User_Backend {
return false; return false;
}else{ }else{
$hasher=$this->getHasher(); $hasher=$this->getHasher();
$hash = $hasher->HashPassword($password); $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
$query = OC_DB::prepare( "INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )" ); $query = OC_DB::prepare( "INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )" );
$result = $query->execute( array( $uid, $hash)); $result = $query->execute( array( $uid, $hash));
...@@ -102,7 +102,7 @@ class OC_User_Database extends OC_User_Backend { ...@@ -102,7 +102,7 @@ class OC_User_Database extends OC_User_Backend {
public function setPassword( $uid, $password ){ public function setPassword( $uid, $password ){
if( $this->userExists($uid) ){ if( $this->userExists($uid) ){
$hasher=$this->getHasher(); $hasher=$this->getHasher();
$hash = $hasher->HashPassword($password); $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
$query = OC_DB::prepare( "UPDATE *PREFIX*users SET password = ? WHERE uid = ?" ); $query = OC_DB::prepare( "UPDATE *PREFIX*users SET password = ? WHERE uid = ?" );
$result = $query->execute( array( $hash, $uid )); $result = $query->execute( array( $hash, $uid ));
...@@ -131,7 +131,7 @@ class OC_User_Database extends OC_User_Backend { ...@@ -131,7 +131,7 @@ class OC_User_Database extends OC_User_Backend {
$storedHash=$row['password']; $storedHash=$row['password'];
if (substr($storedHash,0,1)=='$'){//the new phpass based hashing if (substr($storedHash,0,1)=='$'){//the new phpass based hashing
$hasher=$this->getHasher(); $hasher=$this->getHasher();
if($hasher->CheckPassword($password, $storedHash)){ if($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''), $storedHash)){
return $row['uid']; return $row['uid'];
}else{ }else{
return false; return false;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment