From b77dcb5c12f77d33701555e00ad9ac602ffef046 Mon Sep 17 00:00:00 2001 From: Peter Linss Date: Tue, 19 Nov 2019 16:24:21 -0800 Subject: [PATCH 1/2] Switch admin password hashing to secure algorithms when available --- .../libraries/RainLoop/Config/Application.php | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php b/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php index c4316703b..f5c73e281 100644 --- a/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php +++ b/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php @@ -99,6 +99,9 @@ class Application extends \RainLoop\Config\AbstractConfig */ public function SetPassword($sPassword) { + if (function_exists('password_hash')) { + return $this->Set('security', 'admin_password', password_hash($sPassword, PASSWORD_DEFAULT)); + } return $this->Set('security', 'admin_password', \md5(APP_SALT.$sPassword.APP_SALT)); } @@ -112,8 +115,18 @@ class Application extends \RainLoop\Config\AbstractConfig $sPassword = (string) $sPassword; $sConfigPassword = (string) $this->Get('security', 'admin_password', ''); - return 0 < \strlen($sPassword) && - (($sPassword === $sConfigPassword && '12345' === $sConfigPassword) || \md5(APP_SALT.$sPassword.APP_SALT) === $sConfigPassword); + if (0 < strlen($sConfigPassword)) { + if (($sPassword === $sConfigPassword) && ('12345' === $sConfigPassword)) { + return true; + } + if (32 == strlen($sConfigPassword)) { // legacy md5 hash + return (\md5(APP_SALT.$sPassword.APP_SALT) === $sConfigPassword); + } + if (function_exists('password_verify')) { + return password_verify($sPassword, $sConfigPassword); + } + } + return false; } /** From e9892ceec375aa16306a2f86c90268180e7eac0c Mon Sep 17 00:00:00 2001 From: Peter Linss Date: Tue, 19 Nov 2019 16:51:12 -0800 Subject: [PATCH 2/2] adjust braces style to match surrounding code --- .../app/libraries/RainLoop/Config/Application.php | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php b/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php index f5c73e281..e3418a9c8 100644 --- a/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php +++ b/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php @@ -99,7 +99,8 @@ class Application extends \RainLoop\Config\AbstractConfig */ public function SetPassword($sPassword) { - if (function_exists('password_hash')) { + if (function_exists('password_hash')) + { return $this->Set('security', 'admin_password', password_hash($sPassword, PASSWORD_DEFAULT)); } return $this->Set('security', 'admin_password', \md5(APP_SALT.$sPassword.APP_SALT)); @@ -115,14 +116,18 @@ class Application extends \RainLoop\Config\AbstractConfig $sPassword = (string) $sPassword; $sConfigPassword = (string) $this->Get('security', 'admin_password', ''); - if (0 < strlen($sConfigPassword)) { - if (($sPassword === $sConfigPassword) && ('12345' === $sConfigPassword)) { + if (0 < strlen($sConfigPassword)) + { + if (($sPassword === $sConfigPassword) && ('12345' === $sConfigPassword)) // password has not been set + { return true; } - if (32 == strlen($sConfigPassword)) { // legacy md5 hash + if (32 == strlen($sConfigPassword)) // legacy md5 hash + { return (\md5(APP_SALT.$sPassword.APP_SALT) === $sConfigPassword); } - if (function_exists('password_verify')) { + if (function_exists('password_verify')) // secure hash + { return password_verify($sPassword, $sConfigPassword); } }