Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update password hash to use php password_hash by default #7439

Merged
merged 1 commit into from
Jun 24, 2019
Merged

Update password hash to use php password_hash by default #7439

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 27 additions & 22 deletions modules/Users/User.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1153,49 +1153,54 @@ public function load_user($username_password, $password_encoded = false)
/**
* Generate a new hash from plaintext password
* @param string $password
* @return bool|string
*/
public static function getPasswordHash($password)
{
if (!defined('CRYPT_MD5') || !constant('CRYPT_MD5')) {
// does not support MD5 crypt - leave as is
if (defined('CRYPT_EXT_DES') && constant('CRYPT_EXT_DES')) {
return crypt(strtolower(md5($password)), "_.012" . substr(str_shuffle('./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'), -4));
}
// plain crypt cuts password to 8 chars, which is not enough
// fall back to old md5
return strtolower(md5($password));
}
return self::getPasswordHashMD5(md5($password));
}

return @crypt(strtolower(md5($password)));
/**
* Generate a new hash from MD5 password
* @param string $passwordMd5
* @return bool|string
*/
public static function getPasswordHashMD5($passwordMd5)
{
return password_hash(strtolower($passwordMd5), PASSWORD_DEFAULT);
}

/**
* Check that password matches existing hash
* @param string $password Plaintext password
* @param string $user_hash DB hash
* @param string $userHash DB hash
* @return bool
*/
public static function checkPassword($password, $user_hash)
public static function checkPassword($password, $userHash)
{
return self::checkPasswordMD5(md5($password), $user_hash);
return self::checkPasswordMD5(md5($password), $userHash);
}

/**
* Check that md5-encoded password matches existing hash
* @param string $password MD5-encoded password
* @param string $user_hash DB hash
* @param string $passwordMd5 MD5-encoded password
* @param string $userHash DB hash
* @return bool Match or not?
*/
public static function checkPasswordMD5($password_md5, $user_hash)
public static function checkPasswordMD5($passwordMd5, $userHash)
{
if (empty($user_hash)) {
if (empty($userHash)) {
return false;
}
if ($user_hash[0] != '$' && strlen($user_hash) == 32) {
// Old way - just md5 password
return strtolower($password_md5) == $user_hash;

if ($userHash[0] !== '$' && strlen($userHash) === 32) {
// Legacy md5 password
$valid = strtolower($passwordMd5) === $userHash;
} else {
$valid = password_verify(strtolower($passwordMd5), $userHash);
}

return crypt(strtolower($password_md5), $user_hash) == $user_hash;
return $valid;
}

/**
Expand All @@ -1204,7 +1209,7 @@ public static function checkPasswordMD5($password_md5, $user_hash)
* @param string $password MD5-encoded password
* @param string $where Limiting query
* @param bool $checkPasswordMD5 use md5 check for user_hash before return the user data (default is true)
* @return bool|arraythe matching User of false if not found
* @return bool|array the matching User of false if not found
*/
public static function findUserPassword($name, $password, $where = '', $checkPasswordMD5 = true)
{
Expand Down