summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRomain d'Alverny <rdalverny@gmail.com>2022-01-12 19:42:35 +0100
committerRomain d'Alverny <rdalverny@gmail.com>2022-01-12 19:42:35 +0100
commitef25d22544d4df97eae819217d841a7a3147c41d (patch)
tree205fa5dae346a2cc573a6b102fc99a2af822b865
parent0b2f80b2504286f0f9b9e1b95db5244d414a6808 (diff)
downloadplanet-ef25d22544d4df97eae819217d841a7a3147c41d.tar
planet-ef25d22544d4df97eae819217d841a7a3147c41d.tar.gz
planet-ef25d22544d4df97eae819217d841a7a3147c41d.tar.bz2
planet-ef25d22544d4df97eae819217d841a7a3147c41d.tar.xz
planet-ef25d22544d4df97eae819217d841a7a3147c41d.zip
Use sha256 for password hashing
See moonmoon/moonmoon#10
-rw-r--r--admin/changepassword.php2
-rwxr-xr-xadmin/index.php2
-rwxr-xr-xadmin/login.php16
-rwxr-xr-xinstall.php5
4 files changed, 21 insertions, 4 deletions
diff --git a/admin/changepassword.php b/admin/changepassword.php
index 3b4500e..c1e61ff 100644
--- a/admin/changepassword.php
+++ b/admin/changepassword.php
@@ -4,7 +4,7 @@ require_once __DIR__.'/../app/app.php';
require_once __DIR__.'/inc/auth.inc.php';
if ($csrf->verify($_POST['_csrf'], 'frmPassword') && isset($_POST['password']) && ('' != $_POST['password'])) {
- $out = '<?php $login="admin"; $password="'.md5($_POST['password']).'"; ?>';
+ $out = sprintf('<?php $login="admin"; $password="%s"; ?>', hash('sha256', $_POST['password']));
file_put_contents(__DIR__.'/inc/pwd.inc.php', $out);
die("Password changed. <a href='administration.php'>Login</a>");
} else {
diff --git a/admin/index.php b/admin/index.php
index 43cd5af..b16ed04 100755
--- a/admin/index.php
+++ b/admin/index.php
@@ -10,7 +10,7 @@ if (is_file($config_file)) {
$conf = Spyc::YAMLLoad($config_file);
$PlanetConfig = new PlanetConfig($conf);
} else {
- die('Config file (custom/config.yml) is missing.');
+ die('<p>' . _g('You might want to <a href="../install.php">install moonmoon</a>.') . '</p>');
}
//Instantiate app
diff --git a/admin/login.php b/admin/login.php
index 618cfb9..2f3d977 100755
--- a/admin/login.php
+++ b/admin/login.php
@@ -4,7 +4,21 @@ require_once __DIR__ . '/../app/app.php';
if (isset($_POST['password'])) {
session_regenerate_id();
- setcookie('auth', md5($_POST['password']));
+
+ $hash_pwd = hash('sha256', $_POST['password']);
+
+ // check if old moonmoon was installed and convert stored password
+ // from md5 to current hash function
+ $md5_pwd = md5($_POST['password']);
+ $passfile = dirname(__FILE__) . '/inc/pwd.inc.php';
+ include($passfile);
+
+ if ($md5_pwd == $password) {
+ error_log("Migrating password from md5 to sha256");
+ file_put_contents($passfile, sprintf('<?php $login="admin"; $password="%s"; ?>', $hash_pwd));
+ }
+
+ setcookie('auth', $hash_pwd);
header('Location: index.php');
}
diff --git a/install.php b/install.php
index 75166a3..5aaaef9 100755
--- a/install.php
+++ b/install.php
@@ -33,7 +33,10 @@ if ($PlanetConfig::isInstalled()) {
OpmlManager::save(new Opml(), custom_path('people.opml'));
//Save password
- $save['password'] = file_put_contents(admin_path('inc/pwd.inc.php'), '<?php $login="admin"; $password="'.md5($_POST['password']).'"; ?>');
+ $save['password'] = file_put_contents(
+ admin_path('inc/pwd.inc.php'),
+ sprintf('<?php $login="admin"; $password="%s"; ?>', hash('sha256', $_POST['password']))
+ );
if (0 != ($save['config'] + $save['password'])) {
$status = 'installed';