diff options
author | Romain d'Alverny <rdalverny@gmail.com> | 2022-01-12 19:42:35 +0100 |
---|---|---|
committer | Romain d'Alverny <rdalverny@gmail.com> | 2022-01-12 19:42:35 +0100 |
commit | ef25d22544d4df97eae819217d841a7a3147c41d (patch) | |
tree | 205fa5dae346a2cc573a6b102fc99a2af822b865 | |
parent | 0b2f80b2504286f0f9b9e1b95db5244d414a6808 (diff) | |
download | planet-ef25d22544d4df97eae819217d841a7a3147c41d.tar planet-ef25d22544d4df97eae819217d841a7a3147c41d.tar.gz planet-ef25d22544d4df97eae819217d841a7a3147c41d.tar.bz2 planet-ef25d22544d4df97eae819217d841a7a3147c41d.tar.xz planet-ef25d22544d4df97eae819217d841a7a3147c41d.zip |
Use sha256 for password hashing
See moonmoon/moonmoon#10
-rw-r--r-- | admin/changepassword.php | 2 | ||||
-rwxr-xr-x | admin/index.php | 2 | ||||
-rwxr-xr-x | admin/login.php | 16 | ||||
-rwxr-xr-x | install.php | 5 |
4 files changed, 21 insertions, 4 deletions
diff --git a/admin/changepassword.php b/admin/changepassword.php index 3b4500e..c1e61ff 100644 --- a/admin/changepassword.php +++ b/admin/changepassword.php @@ -4,7 +4,7 @@ require_once __DIR__.'/../app/app.php'; require_once __DIR__.'/inc/auth.inc.php'; if ($csrf->verify($_POST['_csrf'], 'frmPassword') && isset($_POST['password']) && ('' != $_POST['password'])) { - $out = '<?php $login="admin"; $password="'.md5($_POST['password']).'"; ?>'; + $out = sprintf('<?php $login="admin"; $password="%s"; ?>', hash('sha256', $_POST['password'])); file_put_contents(__DIR__.'/inc/pwd.inc.php', $out); die("Password changed. <a href='administration.php'>Login</a>"); } else { diff --git a/admin/index.php b/admin/index.php index 43cd5af..b16ed04 100755 --- a/admin/index.php +++ b/admin/index.php @@ -10,7 +10,7 @@ if (is_file($config_file)) { $conf = Spyc::YAMLLoad($config_file); $PlanetConfig = new PlanetConfig($conf); } else { - die('Config file (custom/config.yml) is missing.'); + die('<p>' . _g('You might want to <a href="../install.php">install moonmoon</a>.') . '</p>'); } //Instantiate app diff --git a/admin/login.php b/admin/login.php index 618cfb9..2f3d977 100755 --- a/admin/login.php +++ b/admin/login.php @@ -4,7 +4,21 @@ require_once __DIR__ . '/../app/app.php'; if (isset($_POST['password'])) { session_regenerate_id(); - setcookie('auth', md5($_POST['password'])); + + $hash_pwd = hash('sha256', $_POST['password']); + + // check if old moonmoon was installed and convert stored password + // from md5 to current hash function + $md5_pwd = md5($_POST['password']); + $passfile = dirname(__FILE__) . '/inc/pwd.inc.php'; + include($passfile); + + if ($md5_pwd == $password) { + error_log("Migrating password from md5 to sha256"); + file_put_contents($passfile, sprintf('<?php $login="admin"; $password="%s"; ?>', $hash_pwd)); + } + + setcookie('auth', $hash_pwd); header('Location: index.php'); } diff --git a/install.php b/install.php index 75166a3..5aaaef9 100755 --- a/install.php +++ b/install.php @@ -33,7 +33,10 @@ if ($PlanetConfig::isInstalled()) { OpmlManager::save(new Opml(), custom_path('people.opml')); //Save password - $save['password'] = file_put_contents(admin_path('inc/pwd.inc.php'), '<?php $login="admin"; $password="'.md5($_POST['password']).'"; ?>'); + $save['password'] = file_put_contents( + admin_path('inc/pwd.inc.php'), + sprintf('<?php $login="admin"; $password="%s"; ?>', hash('sha256', $_POST['password'])) + ); if (0 != ($save['config'] + $save['password'])) { $status = 'installed'; |