[evolvis-commits] r18354: do not fill in the column user_pw with md5(plainpw) any more

mirabilos at evolvis.org mirabilos at evolvis.org
Thu Apr 12 20:40:25 CEST 2012


Author: mirabilos
Date: 2012-04-12 20:40:24 +0200 (Thu, 12 Apr 2012)
New Revision: 18354

Modified:
   trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php
   trunk/gforge_base/evolvisforge-5.1/src/common/include/forms.php
   trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php
   trunk/gforge_base/evolvisforge-5.1/src/deb-specific/gforge-inject.pl
Log:
do not fill in the column user_pw with md5(plainpw) any more

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php	2012-04-12 18:40:20 UTC (rev 18353)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/include/User.class.php	2012-04-12 18:40:24 UTC (rev 18354)
@@ -345,7 +345,7 @@
 		db_begin();
 		$result = db_query_params ('INSERT INTO users (user_name,user_pw,unix_pw,realname,firstname,lastname,email,add_date,status,confirm_hash,mail_siteupdates,mail_va,language,timezone,jabber_address,jabber_only,unix_box,address,address2,phone,fax,title,ccode,theme_id) VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22,$23,$24)',
 					   array ($unix_name,
-						  md5($password1),
+						  'X',
 						  account_genunixpw($password1),
 						  htmlspecialchars($firstname.' '.$lastname),
 						  htmlspecialchars($firstname),
@@ -1304,11 +1304,10 @@
 		}
 
 		db_begin();
-		$md5_pw = md5 ($passwd) ;
 		$unix_pw = account_genunixpw ($passwd) ;
 
 		$res = db_query_params ('UPDATE users SET user_pw=$1, unix_pw=$2 WHERE user_id=$3',
-					array ($md5_pw,
+					array ('X',
 					       $unix_pw,
 					       $this->getID())) ;
 

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/include/forms.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/include/forms.php	2012-04-12 18:40:20 UTC (rev 18353)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/include/forms.php	2012-04-12 18:40:24 UTC (rev 18354)
@@ -32,7 +32,7 @@
 	db_begin();
 	// there's about 99.999999999% probability this loop will run only once :) 
 	while(!$is_new) {
-		$key = md5(microtime() + util_randbytes() + $_SERVER["REMOTE_ADDR"]);
+		$key = md5(microtime() . util_randbytes() . $_SERVER["REMOTE_ADDR"]);
 		$res = db_query_params ('SELECT * FROM form_keys WHERE key=$1', array ($key));
 		if (!db_numrows($res)) {
 			$is_new=true;	

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php	2012-04-12 18:40:20 UTC (rev 18353)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php	2012-04-12 18:40:24 UTC (rev 18354)
@@ -166,7 +166,7 @@
 function session_login_valid_dbonly ($loginname, $passwd, $allowpending) {
 	global $feedback,$userstatus;
 
-	$res = db_query_params('SELECT user_id, status, user_pw, unix_pw
+	$res = db_query_params('SELECT user_id, status, unix_pw
 		FROM users WHERE user_name=$1' .
 	    (forge_get_config('require_unique_email') ? ' OR email=$1' : ''),
 	    array($loginname));
@@ -185,16 +185,16 @@
 		return false;
 	}
 
-	if ($is_valid == 2 && $usr['user_pw'] !== md5($passwd)) {
-		$is_valid = 1;
-	}
-
 	if ($is_valid != 2) {
 		/* Update the database with canonical hashes */
 		$res = db_query_params('UPDATE users
 		    SET user_pw=$1, unix_pw=$2
 		    WHERE user_name=$3',
-				       array(md5($passwd), account_genunixpw($passwd), $loginname));
+		    array(
+			'X',
+			account_genunixpw($passwd),
+			$loginname
+		    ));
 	}
 
 	// Yay.  The provided password matches both fields in the database.

Modified: trunk/gforge_base/evolvisforge-5.1/src/deb-specific/gforge-inject.pl
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/deb-specific/gforge-inject.pl	2012-04-12 18:40:20 UTC (rev 18353)
+++ trunk/gforge_base/evolvisforge-5.1/src/deb-specific/gforge-inject.pl	2012-04-12 18:40:24 UTC (rev 18354)
@@ -224,15 +224,13 @@
 	    my $realname = $users{$user}{realname} ;
 	    $realname = substr ($realname, 0, 32) ;
 	    $realname = $dbh->quote ($realname) ;
-	    my $unix_pw = qx(/usr/bin/makepasswd --minchar 8 --maxchar 8) ;
-	    $unix_pw = $dbh->quote ($unix_pw) ;
 	    $query = "INSERT INTO users (user_name, email,
                                          user_pw, realname, status,
                                          shell, unix_pw, unix_status,
                                          unix_uid, add_date)
                       VALUES ('$users{$user}{user_name}',
                               '$users{$user}{email}',
-                              $unix_pw,
+                              'X',
                               $realname,
                               '$users{$user}{status}',
                               '$users{$user}{shell}',



More information about the evolvis-commits mailing list