generate a random salt during installation and store it in the config.php. use it to salt the password hashing.

1 files changed, 3 insertions, 3 deletions

diff --git a/lib/user/database.php b/lib/user/database.php
index 769ba6a7920..bb077c8364f 100644
--- a/lib/user/database.php
+++ b/lib/user/database.php
@@ -69,7 +69,7 @@ class OC_User_Database extends OC_User_Backend {
 			return false;
 		}else{
 			$hasher=$this->getHasher();
-			$hash = $hasher->HashPassword($password);
+			$hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
 			$query = OC_DB::prepare( "INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )" );
 			$result = $query->execute( array( $uid, $hash));
 
@@ -102,7 +102,7 @@ class OC_User_Database extends OC_User_Backend {
 	public function setPassword( $uid, $password ){
 		if( $this->userExists($uid) ){
 			$hasher=$this->getHasher();
-			$hash = $hasher->HashPassword($password);
+			$hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
 			$query = OC_DB::prepare( "UPDATE *PREFIX*users SET password = ? WHERE uid = ?" );
 			$result = $query->execute( array( $hash, $uid ));
 
@@ -131,7 +131,7 @@ class OC_User_Database extends OC_User_Backend {
 			$storedHash=$row['password'];
 			if (substr($storedHash,0,1)=='$'){//the new phpass based hashing
 				$hasher=$this->getHasher();
-				if($hasher->CheckPassword($password, $storedHash)){
+				if($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''), $storedHash)){
 					return $row['uid'];
 				}else{
 					return false;