From b77dcb5c12f77d33701555e00ad9ac602ffef046 Mon Sep 17 00:00:00 2001 From: Peter Linss Date: Tue, 19 Nov 2019 16:24:21 -0800 Subject: [PATCH] Switch admin password hashing to secure algorithms when available --- .../libraries/RainLoop/Config/Application.php | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php b/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php index c4316703b..f5c73e281 100644 --- a/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php +++ b/rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php @@ -99,6 +99,9 @@ class Application extends \RainLoop\Config\AbstractConfig */ public function SetPassword($sPassword) { + if (function_exists('password_hash')) { + return $this->Set('security', 'admin_password', password_hash($sPassword, PASSWORD_DEFAULT)); + } return $this->Set('security', 'admin_password', \md5(APP_SALT.$sPassword.APP_SALT)); } @@ -112,8 +115,18 @@ class Application extends \RainLoop\Config\AbstractConfig $sPassword = (string) $sPassword; $sConfigPassword = (string) $this->Get('security', 'admin_password', ''); - return 0 < \strlen($sPassword) && - (($sPassword === $sConfigPassword && '12345' === $sConfigPassword) || \md5(APP_SALT.$sPassword.APP_SALT) === $sConfigPassword); + if (0 < strlen($sConfigPassword)) { + if (($sPassword === $sConfigPassword) && ('12345' === $sConfigPassword)) { + return true; + } + if (32 == strlen($sConfigPassword)) { // legacy md5 hash + return (\md5(APP_SALT.$sPassword.APP_SALT) === $sConfigPassword); + } + if (function_exists('password_verify')) { + return password_verify($sPassword, $sConfigPassword); + } + } + return false; } /**