From ce84bb1a0194d98b4db99e258cc0ada6b98e19b8 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Lang Date: Wed, 23 Feb 2011 17:27:31 +0000 Subject: Adds random salt to user passwords (#7410). git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4936 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- extra/svn/Redmine.pm | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'extra/svn') diff --git a/extra/svn/Redmine.pm b/extra/svn/Redmine.pm index c96b248c5..c0320f13e 100644 --- a/extra/svn/Redmine.pm +++ b/extra/svn/Redmine.pm @@ -148,7 +148,7 @@ sub RedmineDSN { my ($self, $parms, $arg) = @_; $self->{RedmineDSN} = $arg; my $query = "SELECT - hashed_password, auth_source_id, permissions + hashed_password, salt, auth_source_id, permissions FROM members, projects, users, roles, member_roles WHERE projects.id=members.project_id @@ -316,11 +316,12 @@ sub is_member { $sth->execute($redmine_user, $project_id); my $ret; - while (my ($hashed_password, $auth_source_id, $permissions) = $sth->fetchrow_array) { + while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) { unless ($auth_source_id) { - my $method = $r->method; - if ($hashed_password eq $pass_digest && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) { + my $method = $r->method; + my $salted_password = Digest::SHA1::sha1_hex($salt.$pass_digest); + if ($hashed_password eq $salted_password && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) { $ret = 1; last; } -- cgit v1.2.3