From 2573c49557ee7f5230f269b01f08795e6d243690 Mon Sep 17 00:00:00 2001 From: Yury Buldakov Date: Wed, 23 Aug 2017 03:53:59 +0300 Subject: [PATCH] Follow up review comments on #54 --- install/sql/mysql.sql | 6 +++--- library/config.php | 4 ++-- library/includes/ucp/activate.php | 2 +- library/includes/ucp/register.php | 2 +- src/Legacy/Common/User.php | 5 ++--- 5 files changed, 9 insertions(+), 10 deletions(-) diff --git a/install/sql/mysql.sql b/install/sql/mysql.sql index ff50b480..b3eba300 100644 --- a/install/sql/mysql.sql +++ b/install/sql/mysql.sql @@ -1087,7 +1087,7 @@ CREATE TABLE `bb_users` ( `user_id` mediumint(8) NOT NULL, `user_active` tinyint(1) NOT NULL DEFAULT 1, `username` varchar(25) NOT NULL DEFAULT '', - `user_password` varchar(128) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL DEFAULT '', + `user_password` varchar(60) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL DEFAULT '', `user_session_time` int(11) NOT NULL DEFAULT 0, `user_lastvisit` int(11) NOT NULL DEFAULT 0, `user_last_ip` char(42) NOT NULL DEFAULT '0', @@ -1127,8 +1127,8 @@ CREATE TABLE `bb_users` ( -- INSERT INTO `bb_users` (`user_id`, `user_active`, `username`, `user_password`, `user_session_time`, `user_lastvisit`, `user_last_ip`, `user_regdate`, `user_reg_ip`, `user_level`, `user_posts`, `user_timezone`, `user_lang`, `user_new_privmsg`, `user_unread_privmsg`, `user_last_privmsg`, `user_opt`, `user_rank`, `avatar_ext_id`, `user_gender`, `user_birthday`, `user_email`, `user_skype`, `user_twitter`, `user_icq`, `user_website`, `user_from`, `user_sig`, `user_occ`, `user_interests`, `user_actkey`, `user_newpasswd`, `autologin_id`, `user_newest_pm_id`, `user_points`, `tpl_name`) VALUES -(-746, 0, 'bot', 'd41d8cd98f00b204e9800998ecf8427e', 0, 0, '0', 0, '0', 0, 0, 0.00, '', 0, 0, 0, 144, 0, 0, 0, '0000-00-00', 'bot@torrentpier.com', '', '', '', '', '', '', '', '', '', '', '', 0, 0.00, 'default'), -(-1, 0, 'Guest', 'd41d8cd98f00b204e9800998ecf8427e', 0, 0, '0', 0, '0', 0, 0, 0.00, '', 0, 0, 0, 0, 0, 0, 0, '0000-00-00', '', '', '', '', '', '', '', '', '', '', '', '', 0, 0.00, 'default'), +(-746, 0, 'bot', '$2y$12$b0r5t5lGTbWGW8iMeWwo.Oj7sI7Uaram3LtUFhidl4FlqVww9qtiy', 0, 0, '0', 0, '0', 0, 0, 0.00, '', 0, 0, 0, 144, 0, 0, 0, '0000-00-00', 'bot@torrentpier.com', '', '', '', '', '', '', '', '', '', '', '', 0, 0.00, 'default'), +(-1, 0, 'Guest', '$2y$12$b0r5t5lGTbWGW8iMeWwo.Oj7sI7Uaram3LtUFhidl4FlqVww9qtiy', 0, 0, '0', 0, '0', 0, 0, 0.00, '', 0, 0, 0, 0, 0, 0, 0, '0000-00-00', '', '', '', '', '', '', '', '', '', '', '', '', 0, 0.00, 'default'), (2, 1, 'admin', '$2y$12$9kPH9v2ayVP63JFp71FonuNtqc9qQlObeqG0Rhp8rtFl4/M5CcoYW', 0, 0, 'c0a86301', 0, '0', 1, 1, 2.00, '', 0, 0, 0, 304, 1, 0, 0, '0000-00-00', 'admin@torrentpier.com', '', '', '', '', '', '', '', '', '', '', 'XCbkm1SmP1GB', 0, 0.00, 'default'); -- -------------------------------------------------------- diff --git a/library/config.php b/library/config.php index 1243c3d6..64e699a3 100644 --- a/library/config.php +++ b/library/config.php @@ -34,8 +34,8 @@ $bb_cfg = []; -//Алгоритм хешування -$bb_cfg['passhash_cost'] = ['cost' => 12,]; +// Options for password_hash() (PASSWORD_BCRYPT algo) +$bb_cfg['passhash_opts'] = ['cost' => 12]; // Increase number after changing js or css $bb_cfg['js_ver'] = $bb_cfg['css_ver'] = 1; diff --git a/library/includes/ucp/activate.php b/library/includes/ucp/activate.php index e938374a..20afd1e5 100644 --- a/library/includes/ucp/activate.php +++ b/library/includes/ucp/activate.php @@ -42,7 +42,7 @@ if ($row['user_active'] && trim($row['user_actkey']) == '') { bb_die($lang['ALREADY_ACTIVATED']); } elseif ((trim($row['user_actkey']) == trim($_GET['act_key'])) && (trim($row['user_actkey']) != '')) { - $sql_update_pass = ($row['user_newpasswd'] != '') ? ", user_password = '" . password_hash(md5($row['user_newpasswd']), PASSWORD_BCRYPT, $bb_cfg['passhash_cost']) . "', user_newpasswd = ''" : ''; + $sql_update_pass = ($row['user_newpasswd'] != '') ? ", user_password = '" . password_hash(md5($row['user_newpasswd']), PASSWORD_BCRYPT, $bb_cfg['passhash_opts']) . "', user_newpasswd = ''" : ''; $sql = "UPDATE " . BB_USERS . " SET user_active = 1, user_actkey = ''" . $sql_update_pass . " diff --git a/library/includes/ucp/register.php b/library/includes/ucp/register.php index f8c856ce..0a438bd6 100644 --- a/library/includes/ucp/register.php +++ b/library/includes/ucp/register.php @@ -232,7 +232,7 @@ } elseif ($new_pass != $cfm_pass) { $errors[] = $lang['CHOOSE_PASS_ERR']; } - $db_data['user_password'] = password_hash(md5($new_pass), PASSWORD_BCRYPT, $bb_cfg['passhash_cost']); + $db_data['user_password'] = password_hash(md5($new_pass), PASSWORD_BCRYPT, $bb_cfg['passhash_opts']); } if ($mode == 'register') { diff --git a/src/Legacy/Common/User.php b/src/Legacy/Common/User.php index 5a8a8386..37570017 100644 --- a/src/Legacy/Common/User.php +++ b/src/Legacy/Common/User.php @@ -403,9 +403,8 @@ public function login($args, $mod_admin_login = false) LIMIT 1 "; - $userdata = DB()->fetch_row($sql); - if (password_verify(md5($password), $userdata['user_password'])) { - if (!$userdata['username'] || !$userdata['user_password'] || $userdata['user_id'] == GUEST_UID || !$userdata['user_active']) { + if ($userdata = DB()->fetch_row($sql)) { + if (!$userdata['username'] || !$userdata['user_password'] || $userdata['user_id'] == GUEST_UID || !password_verify(md5($password), $userdata['user_password']) || !$userdata['user_active']) { trigger_error('invalid userdata', E_USER_ERROR); }