summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrank Karlitschek <frank@owncloud.org>2012-06-08 12:31:37 +0200
committerFrank Karlitschek <frank@owncloud.org>2012-06-08 12:31:37 +0200
commit6119f05ac015b71d94318bf759b4fcaefe4650af (patch)
treed4289faaa92a83da055dfdc24e4ba2737d62263f
parent4d3b7574f3dcab1c79c27e93122dcc7d1ac103b2 (diff)
downloadnextcloud-server-6119f05ac015b71d94318bf759b4fcaefe4650af.tar.gz
nextcloud-server-6119f05ac015b71d94318bf759b4fcaefe4650af.zip
generate a random salt during installation and store it in the config.php. use it to salt the password hashing.
-rw-r--r--config/config.sample.php3
-rw-r--r--lib/setup.php4
-rw-r--r--lib/user/database.php6
3 files changed, 10 insertions, 3 deletions
diff --git a/config/config.sample.php b/config/config.sample.php
index 6ea23ee4bcf..0c0ace521ec 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -24,6 +24,9 @@ $CONFIG = array(
/* Prefix for the OwnCloud tables in the database */
"dbtableprefix" => "",
+/* Define the salt used to hash the user passwords. All your user passwords are lost if you lose this string. */
+"passwordsalt" => "",
+
/* Force use of HTTPS connection (true = use HTTPS) */
"forcessl" => false,
diff --git a/lib/setup.php b/lib/setup.php
index a096fdbb4cf..5f1fb1525ec 100644
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -73,6 +73,10 @@ class OC_Setup {
$dbtype='sqlite3';
}
+ //generate a random salt that is used to salt the local user passwords
+ $salt=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
+ OC_Config::setValue('passwordsalt', $salt);
+
//write the config file
OC_Config::setValue('datadirectory', $datadir);
OC_Config::setValue('dbtype', $dbtype);
diff --git a/lib/user/database.php b/lib/user/database.php
index 769ba6a7920..bb077c8364f 100644
--- a/lib/user/database.php
+++ b/lib/user/database.php
@@ -69,7 +69,7 @@ class OC_User_Database extends OC_User_Backend {
return false;
}else{
$hasher=$this->getHasher();
- $hash = $hasher->HashPassword($password);
+ $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
$query = OC_DB::prepare( "INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )" );
$result = $query->execute( array( $uid, $hash));
@@ -102,7 +102,7 @@ class OC_User_Database extends OC_User_Backend {
public function setPassword( $uid, $password ){
if( $this->userExists($uid) ){
$hasher=$this->getHasher();
- $hash = $hasher->HashPassword($password);
+ $hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
$query = OC_DB::prepare( "UPDATE *PREFIX*users SET password = ? WHERE uid = ?" );
$result = $query->execute( array( $hash, $uid ));
@@ -131,7 +131,7 @@ class OC_User_Database extends OC_User_Backend {
$storedHash=$row['password'];
if (substr($storedHash,0,1)=='$'){//the new phpass based hashing
$hasher=$this->getHasher();
- if($hasher->CheckPassword($password, $storedHash)){
+ if($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''), $storedHash)){
return $row['uid'];
}else{
return false;