diff options
| author | Frank Karlitschek <frank@owncloud.org> | 2012-06-08 12:42:35 +0200 |
|---|---|---|
| committer | Frank Karlitschek <frank@owncloud.org> | 2012-06-08 12:42:35 +0200 |
| commit | a7a861b2c6fc855abc0741691bebf975e255767c (patch) | |
| tree | 2f3275187d5c123a8ddf045c734bcda4d7a3c791 | |
| parent | 8c7fa15aaf98e31646e4306e7819d1d2b725a7e1 (diff) | |
| download | nextcloud-server-a7a861b2c6fc855abc0741691bebf975e255767c.tar.gz nextcloud-server-a7a861b2c6fc855abc0741691bebf975e255767c.zip | |
backport the password salting fix.
a salt is generated during setup and used to salt the user password hases in the database backend
| -rw-r--r-- | config/config.sample.php | 1 | ||||
| -rw-r--r-- | lib/setup.php | 4 | ||||
| -rw-r--r-- | lib/user/database.php | 6 |
3 files changed, 8 insertions, 3 deletions
diff --git a/config/config.sample.php b/config/config.sample.php index e86dc05cb01..3648bdebda5 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -29,6 +29,7 @@ $CONFIG = array( "log_type" => "", "logfile" => "", "loglevel" => "", +"passwordsalt" => "", // "datadirectory" => "" ); ?> diff --git a/lib/setup.php b/lib/setup.php index 4c8c5670480..e1c1a110b38 100644 --- a/lib/setup.php +++ b/lib/setup.php @@ -73,6 +73,10 @@ class OC_Setup { $dbtype='sqlite3'; } + //generate a random salt that is used to salt the local user passwords + $salt=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000); + OC_Config::setValue('passwordsalt', $salt); + //write the config file OC_Config::setValue('datadirectory', $datadir); OC_Config::setValue('dbtype', $dbtype); diff --git a/lib/user/database.php b/lib/user/database.php index 894ccffb791..a9b01957d42 100644 --- a/lib/user/database.php +++ b/lib/user/database.php @@ -69,7 +69,7 @@ class OC_User_Database extends OC_User_Backend { return false; }else{ $hasher=$this->getHasher(); - $hash = $hasher->HashPassword($password); + $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', '')); $query = OC_DB::prepare( "INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )" ); $result = $query->execute( array( $uid, $hash)); @@ -102,7 +102,7 @@ class OC_User_Database extends OC_User_Backend { public function setPassword( $uid, $password ){ if( $this->userExists($uid) ){ $hasher=$this->getHasher(); - $hash = $hasher->HashPassword($password); + $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', '')); $query = OC_DB::prepare( "UPDATE *PREFIX*users SET password = ? WHERE uid = ?" ); $result = $query->execute( array( $hash, $uid )); @@ -131,7 +131,7 @@ class OC_User_Database extends OC_User_Backend { $storedHash=$row['password']; if (substr($storedHash,0,1)=='$'){//the new phpass based hashing $hasher=$this->getHasher(); - if($hasher->CheckPassword($password, $storedHash)){ + if($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''), $storedHash)){ return $row['uid']; }else{ return false; |