generate a random salt during installation and store it in the config.php. use it...

diff --git a/config/config.sample.php b/config/config.sample.php
index 6ea23ee4bcfc4c5b0463daef6d24a96a2b4c8beb..0c0ace521ec65c64da1c0af546092b67a5843f1e 100644 (file)
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -24,6 +24,9 @@ $CONFIG = array(
 /* Prefix for the OwnCloud tables in the database */
 "dbtableprefix" => "",
 
+/* Define the salt used to hash the user passwords. All your user passwords are lost if you lose this string. */
+"passwordsalt" => "",
+
 /* Force use of HTTPS connection (true = use HTTPS) */
 "forcessl" => false,
 

diff --git a/lib/setup.php b/lib/setup.php
index a096fdbb4cf81554f68f1261b192479d6c661738..5f1fb1525ec8073202ad435f0830ce6132ee353e 100644 (file)
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -73,6 +73,10 @@ class OC_Setup {
                                $dbtype='sqlite3';
                        }
 
+                       //generate a random salt that is used to salt the local user passwords
+                       $salt=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
+                       OC_Config::setValue('passwordsalt', $salt);
+
                        //write the config file
                        OC_Config::setValue('datadirectory', $datadir);
                        OC_Config::setValue('dbtype', $dbtype);

diff --git a/lib/user/database.php b/lib/user/database.php
index 769ba6a7920c96493c5f81c7a9121f574eb948a3..bb077c8364f0045b0cc4d83dde83caeb3f1c6b21 100644 (file)
--- a/lib/user/database.php
+++ b/lib/user/database.php
@@ -69,7 +69,7 @@ class OC_User_Database extends OC_User_Backend {
                        return false;
                }else{
                        $hasher=$this->getHasher();
-                       $hash = $hasher->HashPassword($password);
+                       $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
                        $query = OC_DB::prepare( "INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )" );
                        $result = $query->execute( array( $uid, $hash));
 
@@ -102,7 +102,7 @@ class OC_User_Database extends OC_User_Backend {
        public function setPassword( $uid, $password ){
                if( $this->userExists($uid) ){
                        $hasher=$this->getHasher();
-                       $hash = $hasher->HashPassword($password);
+                       $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
                        $query = OC_DB::prepare( "UPDATE *PREFIX*users SET password = ? WHERE uid = ?" );
                        $result = $query->execute( array( $hash, $uid ));
 
@@ -131,7 +131,7 @@ class OC_User_Database extends OC_User_Backend {
                        $storedHash=$row['password'];
                        if (substr($storedHash,0,1)=='$'){//the new phpass based hashing
                                $hasher=$this->getHasher();
-                               if($hasher->CheckPassword($password, $storedHash)){
+                               if($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''), $storedHash)){
                                        return $row['uid'];
                                }else{
                                        return false;