[evolvis-commits] r18353: nuke getMD5Passwd method; breaks: mantis mailman webcalendar

mirabilos at evolvis.org mirabilos at evolvis.org
Thu Apr 12 20:40:21 CEST 2012


Author: mirabilos
Date: 2012-04-12 20:40:20 +0200 (Thu, 12 Apr 2012)
New Revision: 18353

Modified:
   trunk/gforge_base/evolvisforge-5.1/plugins/old/webcalendar/common/webcalendarPlugin.class.php
   trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php
   trunk/gforge_base/evolvisforge-5.1/src/common/include/account.php
   trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/etc/mailman.ini
   trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/include/MailmanList.class.php
   trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/include/MailmanListFactory.class.php
   trunk/gforge_base/evolvisforge-5.1/src/plugins/mantis/etc/mantis.ini
   trunk/gforge_base/evolvisforge-5.1/src/plugins/mantis/www/index.php
   trunk/gforge_base/evolvisforge-5.1/src/www/account/change_pw.php
   trunk/gforge_base/evolvisforge-5.1/src/www/account/index.php
Log:
nuke getMD5Passwd method; breaks: mantis mailman webcalendar

no sense in keeping a non-salted MD5 hash of a user password in the DB

Modified: trunk/gforge_base/evolvisforge-5.1/plugins/old/webcalendar/common/webcalendarPlugin.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/plugins/old/webcalendar/common/webcalendarPlugin.class.php	2012-04-12 18:40:17 UTC (rev 18352)
+++ trunk/gforge_base/evolvisforge-5.1/plugins/old/webcalendar/common/webcalendarPlugin.class.php	2012-04-12 18:40:20 UTC (rev 18353)
@@ -1,4 +1,5 @@
 <?php
+die('broken: User->getMD5Passwd() was removed');
 /**
  * webcalendarPlugin Class
  *

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php	2012-04-12 18:40:17 UTC (rev 18352)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php	2012-04-12 18:40:20 UTC (rev 18353)
@@ -788,15 +788,6 @@
 	}
 
 	/**
-	 *	getMD5Passwd - the password.
-	 *
-	 *	@return	string	This user's MD5-crypted passwd.
-	 */
-	function getMD5Passwd() {
-		return $this->data_array['user_pw'];
-	}
-	
-	/**
 	 *	getConfirmHash - the confirm hash in the db.
 	 *
 	 *	@return	string	This user's confirmation hash.

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/include/account.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/include/account.php	2012-04-12 18:40:17 UTC (rev 18352)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/include/account.php	2012-04-12 18:40:20 UTC (rev 18353)
@@ -4,6 +4,8 @@
  *
  * Copyright 1999-2001, VA Linux Systems, Inc.
  * Copyright 2010, Franck Villaume - Capgemini
+ * Copyright © 2012
+ *	Thorsten Glaser <t.glaser at tarent.de>
  *
  * This file is part of FusionForge. FusionForge is free software;
  * you can redistribute it and/or modify it under the terms of the

Modified: trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/etc/mailman.ini
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/etc/mailman.ini	2012-04-12 18:40:17 UTC (rev 18352)
+++ trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/etc/mailman.ini	2012-04-12 18:40:20 UTC (rev 18353)
@@ -5,7 +5,7 @@
 ; valid means : production ready.
 ; Any other strings means it's under work or broken and plugin 
 ; is available in installation_environment = development only.
-plugin_status = development
+plugin_status = broken
 dbhost = 
 dbuser = list
 dbpassword =

Modified: trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/include/MailmanList.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/include/MailmanList.class.php	2012-04-12 18:40:17 UTC (rev 18352)
+++ trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/include/MailmanList.class.php	2012-04-12 18:40:20 UTC (rev 18353)
@@ -1,4 +1,5 @@
 <?php
+die('broken: User->getMD5Passwd() was removed');
 /**
  * FusionForge Mailing Lists Facility
  *

Modified: trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/include/MailmanListFactory.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/include/MailmanListFactory.class.php	2012-04-12 18:40:17 UTC (rev 18352)
+++ trunk/gforge_base/evolvisforge-5.1/src/plugins/mailman/include/MailmanListFactory.class.php	2012-04-12 18:40:20 UTC (rev 18353)
@@ -1,4 +1,5 @@
 <?php
+die('broken: User->getMD5Passwd() was removed');
 /**
  * FusionForge Mailing Lists Facility
  *

Modified: trunk/gforge_base/evolvisforge-5.1/src/plugins/mantis/etc/mantis.ini
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/plugins/mantis/etc/mantis.ini	2012-04-12 18:40:17 UTC (rev 18352)
+++ trunk/gforge_base/evolvisforge-5.1/src/plugins/mantis/etc/mantis.ini	2012-04-12 18:40:20 UTC (rev 18353)
@@ -1,4 +1,5 @@
 [mantis]
+plugin_status = broken
 
 server = Mantis
 db_host = localhost

Modified: trunk/gforge_base/evolvisforge-5.1/src/plugins/mantis/www/index.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/plugins/mantis/www/index.php	2012-04-12 18:40:17 UTC (rev 18352)
+++ trunk/gforge_base/evolvisforge-5.1/src/plugins/mantis/www/index.php	2012-04-12 18:40:20 UTC (rev 18353)
@@ -1,4 +1,5 @@
 <?php
+die('broken: User->getMD5Passwd() was removed');
 
 /*
  * Mantis plugin 2

Modified: trunk/gforge_base/evolvisforge-5.1/src/www/account/change_pw.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/www/account/change_pw.php	2012-04-12 18:40:17 UTC (rev 18352)
+++ trunk/gforge_base/evolvisforge-5.1/src/www/account/change_pw.php	2012-04-12 18:40:20 UTC (rev 18353)
@@ -4,6 +4,8 @@
  *
  * Copyright 1999-2001 (c) VA Linux Systems
  * Copyright 2010 (c) Franck Villaume - Capgemini
+ * Copyright © 2012
+ *	Thorsten Glaser <t.glaser at tarent.de>
  *
  * This file is part of FusionForge. FusionForge is free software;
  * you can redistribute it and/or modify it under the terms of the
@@ -43,7 +45,7 @@
 	$passwd = getStringFromRequest('passwd');
 	$passwd2 = getStringFromRequest('passwd2');
 
-	if ($u->getMD5Passwd() !== md5($old_passwd)) {
+	if (!account_chkunixpw($old_passwd, $u->getUnixPasswd())) {
 		form_release_key(getStringFromRequest('form_key'));
 		exit_error(_('Old password is incorrect'),'my');
 	}

Modified: trunk/gforge_base/evolvisforge-5.1/src/www/account/index.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/www/account/index.php	2012-04-12 18:40:17 UTC (rev 18352)
+++ trunk/gforge_base/evolvisforge-5.1/src/www/account/index.php	2012-04-12 18:40:20 UTC (rev 18353)
@@ -67,16 +67,6 @@
 	$remember_user = getStringFromRequest('remember_user');
 	$use_ratings = getStringFromRequest('use_ratings');
 
-/*
-//needs security audit
-	if ($remember_user) {
-		// set cookie, expire in 3 months
-		setcookie("sf_user_hash",$u->getID().'_'.substr($u->getMD5Passwd(),0,16),time()+90*24*60*60,'/');
-	} else {
-		// remove cookie
-		setcookie("sf_user_hash",'',0,'/');
-	}
-*/
 	// Refresh page if language or theme changed
 	$refresh = ($language != $u->getLanguage() || $theme_id != $u->getThemeID());
 



More information about the evolvis-commits mailing list