[Mrbs-commits] SF.net Hg: hg-code [a514d91d9117]: Improved implementation of ne...

Thu, 17 Sep 2015 13:37:42 -0700 

Changeset:
        a514d91d9117
        
https://sourceforge.net/p/mrbs/hg-code/ci/a514d91d9117cde4ab12d2c4f918ddb1aa6ef6d2
Author:
        John Beranek <[email protected]>
Date:
        Thu Sep 17 21:37:10 2015 +0100
Log message:

Improved implementation of new password hashing added in
[hg-code:a0b360]. We will now rehash md5 and,
if required, password_hash format hashes on login.

diffstat:

 tables.my.sql            |   3 +--
 tables.pg.sql            |   3 +--
 web/auth/auth_db.inc     |  46 ++++++++++++++++++++++++++++++++--------------
 web/edit_users.php       |  31 +++++++++----------------------
 web/lang/lang.en         |   1 -
 web/upgrade/45/mysql.sql |   6 ++----
 web/upgrade/45/pgsql.sql |   8 ++++----
 7 files changed, 49 insertions(+), 49 deletions(-)

diffs (217 lines):

diff -r a0b36004fb72 -r a514d91d9117 tables.my.sql
--- a/tables.my.sql     Wed Sep 16 22:04:55 2015 +0100
+++ b/tables.my.sql     Thu Sep 17 21:37:10 2015 +0100
@@ -181,8 +181,7 @@
   id        int NOT NULL auto_increment,
   level     smallint DEFAULT '0' NOT NULL,  /* play safe and give no rights */
   name      varchar(30) CHARACTER SET utf8 COLLATE utf8_general_ci,
-  password  varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci,
-  hash_format varchar(16) CHARACTER SET utf8 COLLATE utf8_general_ci,
+  password_hash  varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci,
   email     varchar(75) CHARACTER SET utf8 COLLATE utf8_general_ci,
 
   PRIMARY KEY (id),
diff -r a0b36004fb72 -r a514d91d9117 tables.pg.sql
--- a/tables.pg.sql     Wed Sep 16 22:04:55 2015 +0100
+++ b/tables.pg.sql     Thu Sep 17 21:37:10 2015 +0100
@@ -173,8 +173,7 @@
   id        serial primary key,
   level     smallint DEFAULT '0' NOT NULL,  /* play safe and give no rights */
   name      varchar(30),
-  password  varchar(255),
-  hash_format varchar(16),
+  password_hash  varchar(255),
   email     varchar(75),
   
   CONSTRAINT mrbs_uq_name UNIQUE (name)
diff -r a0b36004fb72 -r a514d91d9117 web/auth/auth_db.inc
--- a/web/auth/auth_db.inc      Wed Sep 16 22:04:55 2015 +0100
+++ b/web/auth/auth_db.inc      Thu Sep 17 21:37:10 2015 +0100
@@ -41,7 +41,7 @@
   // permits trailing spacings, eg 'john' = 'john '.   We could use LIKE, but 
that then
   // permits wildcards, so we could use a comnination of LIKE and '=' but 
that's a bit
   // messy.  WE could use STRCMP, but that's MySQL only.
-  $sql = "SELECT password, hash_format
+  $sql = "SELECT password_hash
             FROM $tbl_users
            WHERE " .
          sql_syntax_casesensitive_equals('name', utf8_strtolower($user)) .
@@ -57,24 +57,42 @@
 
   $row = sql_row_keyed($res, 0);
 
-  switch ($row['hash_format'])
+  $do_rehash = false;
+
+  /* If the hash starts '$' it's a PHP password hash */
+  if (substr($row['password_hash'], 0, 1) == '$')
   {
-    case 'md5':
-      if (md5($pass) == $row['password'])
+    if (password_verify($pass, $row['password_hash']))
+    {
+      $result = 1;
+      if (password_needs_rehash($row['password_hash'], PASSWORD_DEFAULT))
       {
-        $result = 1;
+        $do_rehash = true;
       }
-      break;
+    }
+  }
+  /* Otherwise it's a legacy MD5 hash */
+  else
+  {
+    if (md5($pass) == $row['password_hash'])
+    {
+      $result = 1;
 
-      case 'php_hash':
-        if (password_verify($pass, $row['password']))
-        {
-          $result = 1;
-        }
-        break;
+      if (PasswordCompat\binary\check())
+      {
+        $do_rehash = true;
+      }
+    }
+  }
 
-      default:
-        trigger_error("Invalid hash format in DB!", E_USER_WARNING);
+  if ($do_rehash)
+  {
+    $sql = "UPDATE $tbl_users
+           SET password_hash='".
+      sql_escape(password_hash($pass, PASSWORD_DEFAULT)) ."'
+           WHERE " .
+      sql_syntax_casesensitive_equals('name', utf8_strtolower($user));
+    sql_command($sql);
   }
 
   return $result;
diff -r a0b36004fb72 -r a514d91d9117 web/edit_users.php
--- a/web/edit_users.php        Wed Sep 16 22:04:55 2015 +0100
+++ b/web/edit_users.php        Thu Sep 17 21:37:10 2015 +0100
@@ -345,11 +345,9 @@
               case 'id':
                 echo "<input type=\"hidden\" name=\"Id\" value=\"$Id\">\n";
                 break;
-              case 'password':
+              case 'password_hash':
                 echo "<input type=\"hidden\" name=\"" . $params['name'] ."\" 
value=\"". htmlspecialchars($params['value']) . "\">\n";
                 break;
-              case 'hash_format':
-                break;
               default:
                 echo "<div>\n";
                 switch($key)
@@ -546,18 +544,13 @@
         continue; 
       }
 
-      // The value of 'hash_format' is determined below, in the special
-      // case code for 'password', so we don't set it here
-      if ($fieldname != 'hash_format')
+      // first, get all the other form variables and put them into an array, 
$values, which 
+      // we will use for entering into the database assuming we pass validation
+      $values[$fieldname] = get_form_var(VAR_PREFIX. $fieldname, $type);
+      // Truncate the field to the maximum length as a precaution.
+      if (isset($maxlength["users.$fieldname"]))
       {
-        // first, get all the other form variables and put them into an array, 
$values, which 
-        // we will use for entering into the database assuming we pass 
validation
-        $values[$fieldname] = get_form_var(VAR_PREFIX. $fieldname, $type);
-        // Truncate the field to the maximum length as a precaution.
-        if (isset($maxlength["users.$fieldname"]))
-        {
-          $values[$fieldname] = utf8_substr($values[$fieldname], 0, 
$maxlength["users.$fieldname"]);
-        }
+        $values[$fieldname] = utf8_substr($values[$fieldname], 0, 
$maxlength["users.$fieldname"]);
       }
       // we will also put the data into a query string which we will use for 
passing
       // back to this page if we fail validation.   This will enable us to 
reload the
@@ -573,7 +566,7 @@
           $q_string .= "&$fieldname=" . urlencode($values[$fieldname]);
           $values[$fieldname] = utf8_strtolower($values[$fieldname]);
           break;
-        case 'password':
+        case 'password_hash':
           // password: if the password field is blank it means
           // that the user doesn't want to change the password
           // so don't do anything; otherwise calculate the hash.
@@ -584,20 +577,14 @@
             if (PasswordCompat\binary\check())
             {
               $hash = password_hash($password0, PASSWORD_DEFAULT);
-              $hash_format = 'php_hash';
             }
             else
             {
               $hash = md5($password0);
-              $hash_format = 'md5';
             }
             $values[$fieldname] = $hash;
-            $values['hash_format'] = $hash_format;
           }
           break;
-        case 'hash_format':
-          // We override hash_format, above
-          break;
         case 'level':
           // level:  set a safe default (lowest level of access)
           // if there is no value set
@@ -862,7 +849,7 @@
   $res = sql_query("SELECT * FROM $tbl_users ORDER BY level DESC, name");
   
   // Display the data in a table
-  $ignore_columns = array('id', 'password', 'name'); // We don't display these 
columns or they get special treatment
+  $ignore_columns = array('id', 'password_hash', 'name'); // We don't display 
these columns or they get special treatment
   
   if (!$ajax)
   {
diff -r a0b36004fb72 -r a514d91d9117 web/lang/lang.en
--- a/web/lang/lang.en  Wed Sep 16 22:04:55 2015 +0100
+++ b/web/lang/lang.en  Thu Sep 17 21:37:10 2015 +0100
@@ -215,7 +215,6 @@
 $vocab["please_login"]       = "Please log in";
 $vocab["users.name"]         = "Name";
 $vocab["users.password"]     = "Password";
-$vocab["users.hash_format"]  = "Hash format";
 $vocab["users.level"]        = "Rights";
 $vocab["unknown_user"]       = "Unknown user";
 $vocab["you_are"]            = "You are";
diff -r a0b36004fb72 -r a514d91d9117 web/upgrade/45/mysql.sql
--- a/web/upgrade/45/mysql.sql  Wed Sep 16 22:04:55 2015 +0100
+++ b/web/upgrade/45/mysql.sql  Thu Sep 17 21:37:10 2015 +0100
@@ -1,9 +1,6 @@
 -- $Id$
 
--- Add hash format column to users table
+-- Rename and expand the password column in the users table
 
 ALTER TABLE %DB_TBL_PREFIX%users
-  MODIFY COLUMN `password` varchar(255) CHARACTER SET utf8 COLLATE 
utf8_general_ci,
-  ADD COLUMN `hash_format` varchar(16) CHARACTER SET utf8 COLLATE 
utf8_general_ci AFTER `password`;
-
-UPDATE %DB_TBL_PREFIX%users SET hash_format='md5' WHERE hash_format IS NULL;
+  CHANGE COLUMN `password` `password_hash` varchar(255) CHARACTER SET utf8 
COLLATE utf8_general_ci;
diff -r a0b36004fb72 -r a514d91d9117 web/upgrade/45/pgsql.sql
--- a/web/upgrade/45/pgsql.sql  Wed Sep 16 22:04:55 2015 +0100
+++ b/web/upgrade/45/pgsql.sql  Thu Sep 17 21:37:10 2015 +0100
@@ -1,9 +1,8 @@
 -- $Id$
 
--- Add hash format column to users table
+-- Rename and expand the password column in the users table
 
 ALTER TABLE %DB_TBL_PREFIX%users
-  ALTER COLUMN password TYPE varchar(255),
-  ADD COLUMN hash_format varchar(16);
-
-UPDATE %DB_TBL_PREFIX%users SET hash_format='md5' WHERE hash_format IS NULL;
+  RENAME COLUMN password TO password_hash;
+ALTER TABLE %DB_TBL_PREFIX%users
+  ALTER COLUMN password_hash TYPE varchar(255);

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits

Reply via email to