Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Хешування паролів з використанням password_hash() та перевірка з password_verify() #54

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

chief-j
Copy link
Contributor

@chief-j chief-j commented Jul 1, 2017

Fixes #50

@@ -232,16 +232,16 @@
} elseif ($new_pass != $cfm_pass) {
$errors[] = $lang['CHOOSE_PASS_ERR'];
}
$db_data['user_password'] = md5(md5($new_pass));
$db_data['user_password'] = password_hash(md5($new_pass), PASSWORD_DEFAULT);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

на Толоці ми зараз додатково використовуємо

$options = [
    'cost' => 12,
];

щоб не послабити нові паролі, думаю, варто додати. Єдине, не зовсім зрозуміло, як воно буде себе поводити, коли bcrypt переведуть на щось інше. Щоб уникнути двозначності і сюрпризів, я би тоді також замінив PASSWORD_DEFAULT на PASSWORD_BCRYPT

}

if ($mode == 'register') {
if (empty($new_pass)) {
$errors[] = $lang['CHOOSE_PASS'];
$errors[] = $lang['CHOOSE_PASS'];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

треба забрати

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Це я прибрати не можу. Не буде повідомлення про не введений пароль при реєстрації

if (!$userdata['username'] || !$userdata['user_password'] || $userdata['user_id'] == GUEST_UID || md5(md5($password)) !== $userdata['user_password'] || !$userdata['user_active']) {
$userdata = DB()->fetch_row($sql);
if (password_verify(md5($password), $userdata['user_password'])) {
if (!$userdata['username'] || !$userdata['user_password'] || $userdata['user_id'] == GUEST_UID /*|| md5(md5($password)) !== $userdata['user_password']*/ || !$userdata['user_active']) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

закоментований код треба забрати

@@ -42,7 +42,7 @@
if ($row['user_active'] && trim($row['user_actkey']) == '') {
bb_die($lang['ALREADY_ACTIVATED']);
} elseif ((trim($row['user_actkey']) == trim($_GET['act_key'])) && (trim($row['user_actkey']) != '')) {
$sql_update_pass = ($row['user_newpasswd'] != '') ? ", user_password = '" . md5(md5($row['user_newpasswd'])) . "', user_newpasswd = ''" : '';
$sql_update_pass = ($row['user_newpasswd'] != '') ? ", user_password = '" . password_hash(md5($row['user_newpasswd']), PASSWORD_DEFAULT) . "', user_newpasswd = ''" : '';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

тут теж тоді має бути bcrypt і cost 12

}

if ($mode == 'register') {
if (empty($new_pass)) {
$errors[] = $lang['CHOOSE_PASS'];
$errors[] = $lang['CHOOSE_PASS'];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

замініть на пробіли

AND user_active = 1
AND user_id != " . GUEST_UID . "
LIMIT 1
";

if ($userdata = DB()->fetch_row($sql)) {
if (!$userdata['username'] || !$userdata['user_password'] || $userdata['user_id'] == GUEST_UID || md5(md5($password)) !== $userdata['user_password'] || !$userdata['user_active']) {
$userdata = DB()->fetch_row($sql);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

замініть на пробіли

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Зверху таби стоять

@@ -232,16 +232,17 @@
} elseif ($new_pass != $cfm_pass) {
$errors[] = $lang['CHOOSE_PASS_ERR'];
}
$db_data['user_password'] = md5(md5($new_pass));
$options = ['cost' => 12,];
$db_data['user_password'] = password_hash(md5($new_pass), PASSWORD_BCRYPT, $options);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

на цих рядках таби, а решта файлу з пробілами. Замініть на пробіли

@@ -1116,7 +1116,7 @@ CREATE TABLE `bb_users` (
INSERT INTO `bb_users` (`user_id`, `user_active`, `username`, `user_password`, `user_session_time`, `user_lastvisit`, `user_last_ip`, `user_regdate`, `user_reg_ip`, `user_level`, `user_posts`, `user_timezone`, `user_lang`, `user_new_privmsg`, `user_unread_privmsg`, `user_last_privmsg`, `user_opt`, `user_rank`, `avatar_ext_id`, `user_gender`, `user_birthday`, `user_email`, `user_skype`, `user_twitter`, `user_icq`, `user_website`, `user_from`, `user_sig`, `user_occ`, `user_interests`, `user_actkey`, `user_newpasswd`, `autologin_id`, `user_newest_pm_id`, `user_points`, `tpl_name`) VALUES
(-746, 0, 'bot', 'd41d8cd98f00b204e9800998ecf8427e', 0, 0, '0', 0, '0', 0, 0, 0.00, '', 0, 0, 0, 144, 0, 0, 0, '0000-00-00', 'bot@torrentpier.me', '', '', '', '', '', '', '', '', '', '', '', 0, 0.00, 'default'),
(-1, 0, 'Guest', 'd41d8cd98f00b204e9800998ecf8427e', 0, 0, '0', 0, '0', 0, 0, 0.00, '', 0, 0, 0, 0, 0, 0, 0, '0000-00-00', '', '', '', '', '', '', '', '', '', '', '', '', 0, 0.00, 'default'),
(2, 1, 'admin', 'c3284d0f94606de1fd2af172aba15bf3', 0, 0, 'c0a86301', 0, '0', 1, 1, 2.00, '', 0, 0, 0, 304, 1, 0, 0, '0000-00-00', 'admin@torrentpier.me', '', '', '', '', '', '', '', '', '', '', 'XCbkm1SmP1GB', 0, 0.00, 'default');
(2, 1, 'admin', '$2y$10$fjuYdcS0DmOdPsY/LXliq.zQsp3bUR2D.Jw8w5w3HUswBvGgkLSRi', 0, 0, 'c0a86301', 0, '0', 1, 1, 2.00, '', 0, 0, 0, 304, 1, 0, 0, '0000-00-00', 'admin@torrentpier.me', '', '', '', '', '', '', '', '', '', '', 'XCbkm1SmP1GB', 0, 0.00, 'default');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

для цілісності, пароль бажано перехешувати з cost 12

@chief-j
Copy link
Contributor Author

chief-j commented Jul 2, 2017

Перевірити на працездатність зараз не можу. Теоретично, все буде працювати

@@ -33,6 +33,9 @@

$bb_cfg = [];

//Алгоритм хешування
$bb_cfg['passhash_cost'] = ['cost' => 12,];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Плюс, коли це вже масив, то краще перейменувати в

$bb_cfg['passhash_opts'] = ['cost' => 12,];

package.json Outdated
@@ -1,12 +0,0 @@
{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

випадково видалений файл, треба повернути

package.json Outdated
@@ -7,6 +7,7 @@
"author": "Exile <admin@torrentpier.me>",
"license": "MIT",
"dependencies": {
"jquery": "^3.2.1"
"jquery": "^3.2.1",
"semantic-ui": "^2.2.10"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

це зайве тут, для semantic треба створити окрему гілку

@@ -1074,7 +1074,7 @@ CREATE TABLE `bb_users` (
`user_id` mediumint(8) NOT NULL,
`user_active` tinyint(1) NOT NULL DEFAULT 1,
`username` varchar(25) NOT NULL DEFAULT '',
`user_password` varchar(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL DEFAULT '',
`user_password` varchar(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL DEFAULT '',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Навіщо 128? З PASSWORD_BCRYPT завжди вертає 60 символів http://php.net/manual/function.password-hash.php

if ($userdata = DB()->fetch_row($sql)) {
if (!$userdata['username'] || !$userdata['user_password'] || $userdata['user_id'] == GUEST_UID || md5(md5($password)) !== $userdata['user_password'] || !$userdata['user_active']) {
$userdata = DB()->fetch_row($sql);
if (password_verify(md5($password), $userdata['user_password'])) {
Copy link
Contributor

@yukoff yukoff Aug 23, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

краще

if ($userdata && password_verify(md5($password), $userdata['user_password'])) {

yukoff added a commit to yukoff/toloka that referenced this pull request Aug 23, 2017
yukoff added a commit to yukoff/toloka that referenced this pull request Aug 23, 2017
yukoff added a commit to yukoff/toloka that referenced this pull request Aug 23, 2017
@yukoff
Copy link
Contributor

yukoff commented Aug 23, 2017

Я перебазував на поточний master та дещо поправив (ну і зробив squash, щоб зменшити кількість комітів). @chief-j, постав тут теж прапорець "Allow edits from maintainers".

@chief-j
Copy link
Contributor Author

chief-j commented Aug 23, 2017

Gоставив

@yukoff
Copy link
Contributor

yukoff commented Aug 23, 2017

@chief-j Дякую

@yukoff yukoff changed the title Хешування хешованих паролів в алгоритмі password_hash Хешування паролів з password_hash Aug 23, 2017
@yukoff yukoff changed the title Хешування паролів з password_hash Хешування паролів з використанням password_hash() та перевірка з password_verify() Aug 23, 2017
yukoff
yukoff previously approved these changes Aug 23, 2017
Copy link
Contributor

@yukoff yukoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Треба буде змержити разом з #74

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants