-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Хешування паролів з використанням password_hash() та перевірка з password_verify() #54
base: master
Are you sure you want to change the base?
Conversation
library/includes/ucp/register.php
Outdated
@@ -232,16 +232,16 @@ | |||
} elseif ($new_pass != $cfm_pass) { | |||
$errors[] = $lang['CHOOSE_PASS_ERR']; | |||
} | |||
$db_data['user_password'] = md5(md5($new_pass)); | |||
$db_data['user_password'] = password_hash(md5($new_pass), PASSWORD_DEFAULT); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
на Толоці ми зараз додатково використовуємо
$options = [
'cost' => 12,
];
щоб не послабити нові паролі, думаю, варто додати. Єдине, не зовсім зрозуміло, як воно буде себе поводити, коли bcrypt переведуть на щось інше. Щоб уникнути двозначності і сюрпризів, я би тоді також замінив PASSWORD_DEFAULT
на PASSWORD_BCRYPT
library/includes/ucp/register.php
Outdated
} | ||
|
||
if ($mode == 'register') { | ||
if (empty($new_pass)) { | ||
$errors[] = $lang['CHOOSE_PASS']; | ||
$errors[] = $lang['CHOOSE_PASS']; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
треба забрати
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Це я прибрати не можу. Не буде повідомлення про не введений пароль при реєстрації
src/Legacy/Common/User.php
Outdated
if (!$userdata['username'] || !$userdata['user_password'] || $userdata['user_id'] == GUEST_UID || md5(md5($password)) !== $userdata['user_password'] || !$userdata['user_active']) { | ||
$userdata = DB()->fetch_row($sql); | ||
if (password_verify(md5($password), $userdata['user_password'])) { | ||
if (!$userdata['username'] || !$userdata['user_password'] || $userdata['user_id'] == GUEST_UID /*|| md5(md5($password)) !== $userdata['user_password']*/ || !$userdata['user_active']) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
закоментований код треба забрати
library/includes/ucp/activate.php
Outdated
@@ -42,7 +42,7 @@ | |||
if ($row['user_active'] && trim($row['user_actkey']) == '') { | |||
bb_die($lang['ALREADY_ACTIVATED']); | |||
} elseif ((trim($row['user_actkey']) == trim($_GET['act_key'])) && (trim($row['user_actkey']) != '')) { | |||
$sql_update_pass = ($row['user_newpasswd'] != '') ? ", user_password = '" . md5(md5($row['user_newpasswd'])) . "', user_newpasswd = ''" : ''; | |||
$sql_update_pass = ($row['user_newpasswd'] != '') ? ", user_password = '" . password_hash(md5($row['user_newpasswd']), PASSWORD_DEFAULT) . "', user_newpasswd = ''" : ''; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
тут теж тоді має бути bcrypt і cost 12
library/includes/ucp/register.php
Outdated
} | ||
|
||
if ($mode == 'register') { | ||
if (empty($new_pass)) { | ||
$errors[] = $lang['CHOOSE_PASS']; | ||
$errors[] = $lang['CHOOSE_PASS']; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
замініть на пробіли
src/Legacy/Common/User.php
Outdated
AND user_active = 1 | ||
AND user_id != " . GUEST_UID . " | ||
LIMIT 1 | ||
"; | ||
|
||
if ($userdata = DB()->fetch_row($sql)) { | ||
if (!$userdata['username'] || !$userdata['user_password'] || $userdata['user_id'] == GUEST_UID || md5(md5($password)) !== $userdata['user_password'] || !$userdata['user_active']) { | ||
$userdata = DB()->fetch_row($sql); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
замініть на пробіли
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Зверху таби стоять
library/includes/ucp/register.php
Outdated
@@ -232,16 +232,17 @@ | |||
} elseif ($new_pass != $cfm_pass) { | |||
$errors[] = $lang['CHOOSE_PASS_ERR']; | |||
} | |||
$db_data['user_password'] = md5(md5($new_pass)); | |||
$options = ['cost' => 12,]; | |||
$db_data['user_password'] = password_hash(md5($new_pass), PASSWORD_BCRYPT, $options); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
на цих рядках таби, а решта файлу з пробілами. Замініть на пробіли
install/sql/mysql.sql
Outdated
@@ -1116,7 +1116,7 @@ CREATE TABLE `bb_users` ( | |||
INSERT INTO `bb_users` (`user_id`, `user_active`, `username`, `user_password`, `user_session_time`, `user_lastvisit`, `user_last_ip`, `user_regdate`, `user_reg_ip`, `user_level`, `user_posts`, `user_timezone`, `user_lang`, `user_new_privmsg`, `user_unread_privmsg`, `user_last_privmsg`, `user_opt`, `user_rank`, `avatar_ext_id`, `user_gender`, `user_birthday`, `user_email`, `user_skype`, `user_twitter`, `user_icq`, `user_website`, `user_from`, `user_sig`, `user_occ`, `user_interests`, `user_actkey`, `user_newpasswd`, `autologin_id`, `user_newest_pm_id`, `user_points`, `tpl_name`) VALUES | |||
(-746, 0, 'bot', 'd41d8cd98f00b204e9800998ecf8427e', 0, 0, '0', 0, '0', 0, 0, 0.00, '', 0, 0, 0, 144, 0, 0, 0, '0000-00-00', 'bot@torrentpier.me', '', '', '', '', '', '', '', '', '', '', '', 0, 0.00, 'default'), | |||
(-1, 0, 'Guest', 'd41d8cd98f00b204e9800998ecf8427e', 0, 0, '0', 0, '0', 0, 0, 0.00, '', 0, 0, 0, 0, 0, 0, 0, '0000-00-00', '', '', '', '', '', '', '', '', '', '', '', '', 0, 0.00, 'default'), | |||
(2, 1, 'admin', 'c3284d0f94606de1fd2af172aba15bf3', 0, 0, 'c0a86301', 0, '0', 1, 1, 2.00, '', 0, 0, 0, 304, 1, 0, 0, '0000-00-00', 'admin@torrentpier.me', '', '', '', '', '', '', '', '', '', '', 'XCbkm1SmP1GB', 0, 0.00, 'default'); | |||
(2, 1, 'admin', '$2y$10$fjuYdcS0DmOdPsY/LXliq.zQsp3bUR2D.Jw8w5w3HUswBvGgkLSRi', 0, 0, 'c0a86301', 0, '0', 1, 1, 2.00, '', 0, 0, 0, 304, 1, 0, 0, '0000-00-00', 'admin@torrentpier.me', '', '', '', '', '', '', '', '', '', '', 'XCbkm1SmP1GB', 0, 0.00, 'default'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
для цілісності, пароль бажано перехешувати з cost 12
Перевірити на працездатність зараз не можу. Теоретично, все буде працювати |
library/config.php
Outdated
@@ -33,6 +33,9 @@ | |||
|
|||
$bb_cfg = []; | |||
|
|||
//Алгоритм хешування | |||
$bb_cfg['passhash_cost'] = ['cost' => 12,]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Плюс, коли це вже масив, то краще перейменувати в
$bb_cfg['passhash_opts'] = ['cost' => 12,];
package.json
Outdated
@@ -1,12 +0,0 @@ | |||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
випадково видалений файл, треба повернути
package.json
Outdated
@@ -7,6 +7,7 @@ | |||
"author": "Exile <admin@torrentpier.me>", | |||
"license": "MIT", | |||
"dependencies": { | |||
"jquery": "^3.2.1" | |||
"jquery": "^3.2.1", | |||
"semantic-ui": "^2.2.10" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
це зайве тут, для semantic треба створити окрему гілку
install/sql/mysql.sql
Outdated
@@ -1074,7 +1074,7 @@ CREATE TABLE `bb_users` ( | |||
`user_id` mediumint(8) NOT NULL, | |||
`user_active` tinyint(1) NOT NULL DEFAULT 1, | |||
`username` varchar(25) NOT NULL DEFAULT '', | |||
`user_password` varchar(32) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL DEFAULT '', | |||
`user_password` varchar(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL DEFAULT '', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Навіщо 128? З PASSWORD_BCRYPT
завжди вертає 60 символів http://php.net/manual/function.password-hash.php
src/Legacy/Common/User.php
Outdated
if ($userdata = DB()->fetch_row($sql)) { | ||
if (!$userdata['username'] || !$userdata['user_password'] || $userdata['user_id'] == GUEST_UID || md5(md5($password)) !== $userdata['user_password'] || !$userdata['user_active']) { | ||
$userdata = DB()->fetch_row($sql); | ||
if (password_verify(md5($password), $userdata['user_password'])) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
краще
if ($userdata && password_verify(md5($password), $userdata['user_password'])) {
Я перебазував на поточний |
Gоставив |
@chief-j Дякую |
password_hash
password_hash
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Треба буде змержити разом з #74
Fixes #50