open-dsi
/
nextcloud-server
mirror of https://github.com/nextcloud/server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

backport the password salting fix.

Browse Source 
a salt is generated during setup and used to salt the user password hases in the database backend
remotes/origin/stable4
Frank Karlitschek 13 years ago
parent 8c7fa15aaf
commit a7a861b2c6
3 changed files with 8 additions and 3 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 1
      config/config.sample.php
  2. 4
      lib/setup.php
  3. 6
      lib/user/database.php

1
config/config.sample.php
Unescape View File

@ -29,6 +29,7 @@ $CONFIG = array(
"log_type" => "", "log_type" => "",
"logfile" => "", "logfile" => "",
"loglevel" => "", "loglevel" => "",
"passwordsalt" => "",
// "datadirectory" => "" // "datadirectory" => ""
); );
?> ?>

4
lib/setup.php
Unescape View File

@ -73,6 +73,10 @@ class OC_Setup {
$dbtype='sqlite3'; $dbtype='sqlite3';
} }
//generate a random salt that is used to salt the local user passwords
$salt=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
OC_Config::setValue('passwordsalt', $salt);
//write the config file //write the config file
OC_Config::setValue('datadirectory', $datadir); OC_Config::setValue('datadirectory', $datadir);
OC_Config::setValue('dbtype', $dbtype); OC_Config::setValue('dbtype', $dbtype);

6
lib/user/database.php
Unescape View File

@ -69,7 +69,7 @@ class OC_User_Database extends OC_User_Backend {
return false; return false;
}else{ }else{
$hasher=$this->getHasher(); $hasher=$this->getHasher();
$hash = $hasher->HashPassword($password); $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
$query = OC_DB::prepare( "INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )" ); $query = OC_DB::prepare( "INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )" );
$result = $query->execute( array( $uid, $hash)); $result = $query->execute( array( $uid, $hash));
@ -102,7 +102,7 @@ class OC_User_Database extends OC_User_Backend {
public function setPassword( $uid, $password ){ public function setPassword( $uid, $password ){
if( $this->userExists($uid) ){ if( $this->userExists($uid) ){
$hasher=$this->getHasher(); $hasher=$this->getHasher();
$hash = $hasher->HashPassword($password); $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
$query = OC_DB::prepare( "UPDATE *PREFIX*users SET password = ? WHERE uid = ?" ); $query = OC_DB::prepare( "UPDATE *PREFIX*users SET password = ? WHERE uid = ?" );
$result = $query->execute( array( $hash, $uid )); $result = $query->execute( array( $hash, $uid ));
@ -131,7 +131,7 @@ class OC_User_Database extends OC_User_Backend {
$storedHash=$row['password']; $storedHash=$row['password'];
if (substr($storedHash,0,1)=='$'){//the new phpass based hashing if (substr($storedHash,0,1)=='$'){//the new phpass based hashing
$hasher=$this->getHasher(); $hasher=$this->getHasher();
if($hasher->CheckPassword($password, $storedHash)){ if($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''), $storedHash)){
return $row['uid']; return $row['uid'];
}else{ }else{
return false; return false;

Write Preview
Loading…
Cancel
Save