From 7f35e5da57774e263966fa2b75e89da90cb8f0aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Ducoulombier?= <seb@ldd.fr>
Date: Thu, 2 Jul 2020 17:17:45 +0200
Subject: [PATCH] use of password_hash() rather than crypt() - refs BT#16297

And better documentation.
---
 .../userremoteservice/Entity/UserRemoteService.php | 14 +++++++-------
 plugin/userremoteservice/lang/english.php          | 10 +++++++++-
 plugin/userremoteservice/lang/french.php           | 11 +++++++++--
 .../src/user_remote_service_plugin.class.php       |  4 +---
 4 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/plugin/userremoteservice/Entity/UserRemoteService.php b/plugin/userremoteservice/Entity/UserRemoteService.php
index 48b346c004..b90471cebc 100644
--- a/plugin/userremoteservice/Entity/UserRemoteService.php
+++ b/plugin/userremoteservice/Entity/UserRemoteService.php
@@ -99,21 +99,21 @@ class UserRemoteService
 
     /**
      * Returns a user-specific URL, with two extra query string parameters : 'username' and 'hash'.
-     * 'hash' is the return value of function call crypt($userId, $salt).
+     * 'hash' is generated using $salt and $userId.
      *
      * @param string $username the URL query parameter 'username'
-     * @param string $userId   the user identifier, to be passed to crypt() to generate the 'hash' query parameter
-     * @param string $salt     the salt to be passed to crypt() in order to generate the 'hash' query parameter
+     * @param string $userId   the user identifier, to build the hash
+     * @param string $salt     the salt, to build the hash
      *
-     * @throws Exception on crypt() failure
+     * @throws Exception on hash generation failure
      *
      * @return string the custom user URL
      */
     public function getCustomUserURL($username, $userId, $salt)
     {
-        $hash = crypt($userId, $salt);
-        if (is_null($hash)) {
-            throw new Exception('crypt() failed');
+        $hash = password_hash($salt.$userId, PASSWORD_BCRYPT);
+        if (false === $hash) {
+            throw new Exception('hash generation failed');
         }
         return sprintf(
             '%s%s%s',
diff --git a/plugin/userremoteservice/lang/english.php b/plugin/userremoteservice/lang/english.php
index 3db5ecf17e..4199341ee4 100644
--- a/plugin/userremoteservice/lang/english.php
+++ b/plugin/userremoteservice/lang/english.php
@@ -5,7 +5,15 @@ $strings['plugin_title'] = 'User Remote Services';
 $strings['plugin_comment'] = 'Appends site-specific iframe-targetted user-identifying links to the menu bar.';
 
 $strings['salt'] = 'Salt';
-$strings['salt_help'] = '"hash" URL query string parameter crypt() salt';
+$strings['salt_help'] = <<<'EOT'
+Secret character string, used to generate the <em>hash</em> URL parameter. The longest, the best.
+<br/>Remote user services can check the generated URL authenticity with the following PHP expression :
+<br/><code class="php">password_verify($salt.$userId, $hash)</code>
+<br/>Where
+<br/><code>$salt</code> is this input value,
+<br/><code>$userId</code> is the number of the user referenced by the <em>username</em> URL parameter value and
+<br/><code>$hash</code> contains the <em>hash</em> URL parameter value.
+EOT;
 
 // Please keep alphabetically sorted
 $strings['CreateService'] = 'Add service to menu bar';
diff --git a/plugin/userremoteservice/lang/french.php b/plugin/userremoteservice/lang/french.php
index 490f2dbf75..b571a2592a 100644
--- a/plugin/userremoteservice/lang/french.php
+++ b/plugin/userremoteservice/lang/french.php
@@ -7,8 +7,15 @@ $strings['plugin_comment'] =
 
 /* Strings for settings */
 $strings['salt'] = "Sel";
-$strings['salt_help'] =
-    "Sel ('salt') à passer à la fonction crypt() pour générer le paramètre d'URL 'hash' des liens générés.";
+$strings['salt_help'] = <<<'EOT'
+Chaine de caractère secrète, utilisée pour générer le paramètre d'URL <em>hash</em>. Plus il est long et mieux c'est.
+<br/>Les services distants peuvent vérifier la validité de l'URL générée avec l'expression PHP suivante :
+<br/><code class="php">password_verify($salt.$userId, $hash)</code>
+<br/>Où
+<br/><code>$salt</code> est la valeur saisie ici,
+<br/><code>$userId</code> est le numéro de l'utilisateur auquel fait référence le paramètre d'URL <em>username</em> et
+<br/><code>$hash</code> représente la valeur du paramètre d'URL <em>hash</em>.
+EOT;
 
 // Please keep alphabetically sorted
 $strings['CreateService'] = "Ajouter le service au menu";
diff --git a/plugin/userremoteservice/src/user_remote_service_plugin.class.php b/plugin/userremoteservice/src/user_remote_service_plugin.class.php
index 2b6295719e..63c9703294 100644
--- a/plugin/userremoteservice/src/user_remote_service_plugin.class.php
+++ b/plugin/userremoteservice/src/user_remote_service_plugin.class.php
@@ -140,8 +140,6 @@ OEQ,
      *
      * @see \return_navigation_array
      *
-     * @throws Exception on crypt() failure
-     *
      * @return array menu items
      */
     public function getNavigationMenu()
@@ -262,7 +260,7 @@ OEQ,
     /**
      * Generates the iframe HTML element to load a service URL
      *
-     * @throws Exception on crypt() failure
+     * @throws Exception on hash generation failure
      *
      * @return string the iframe HTML element
      */