Switch admin password hashing to secure algorithms when available

This commit is contained in:
Peter Linss 2019-11-19 16:24:21 -08:00
parent ba8bf15b4c
commit b77dcb5c12
No known key found for this signature in database
GPG key ID: 0ED32B6657FA9FE0

View file

@ -99,6 +99,9 @@ class Application extends \RainLoop\Config\AbstractConfig
*/ */
public function SetPassword($sPassword) public function SetPassword($sPassword)
{ {
if (function_exists('password_hash')) {
return $this->Set('security', 'admin_password', password_hash($sPassword, PASSWORD_DEFAULT));
}
return $this->Set('security', 'admin_password', \md5(APP_SALT.$sPassword.APP_SALT)); return $this->Set('security', 'admin_password', \md5(APP_SALT.$sPassword.APP_SALT));
} }
@ -112,8 +115,18 @@ class Application extends \RainLoop\Config\AbstractConfig
$sPassword = (string) $sPassword; $sPassword = (string) $sPassword;
$sConfigPassword = (string) $this->Get('security', 'admin_password', ''); $sConfigPassword = (string) $this->Get('security', 'admin_password', '');
return 0 < \strlen($sPassword) && if (0 < strlen($sConfigPassword)) {
(($sPassword === $sConfigPassword && '12345' === $sConfigPassword) || \md5(APP_SALT.$sPassword.APP_SALT) === $sConfigPassword); if (($sPassword === $sConfigPassword) && ('12345' === $sConfigPassword)) {
return true;
}
if (32 == strlen($sConfigPassword)) { // legacy md5 hash
return (\md5(APP_SALT.$sPassword.APP_SALT) === $sConfigPassword);
}
if (function_exists('password_verify')) {
return password_verify($sPassword, $sConfigPassword);
}
}
return false;
} }
/** /**