Skip to:
Content

Changeset 972


Ignore:
Timestamp:
12/06/2007 02:02:15 PM (11 years ago)
Author:
sambauers
Message:

Implement phpass hashing. Mostly lifted from WordPress, so props ryan. Fixes #760

Location:
trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/bb-includes/pluggable.php

    r945 r972  
    44function bb_auth() {
    55    // Checks if a user is logged in, if not redirects them to the login page
    6     if ( (!empty($_COOKIE[bb_get_option( 'usercookie' )]) &&
    7                 !bb_check_login($_COOKIE[bb_get_option( 'usercookie' )], $_COOKIE[bb_get_option( 'passcookie' )], true)) ||
    8              (empty($_COOKIE[bb_get_option( 'usercookie' )])) ) {
     6    $usercookie = $_COOKIE[bb_get_option( 'usercookie' )];
     7    $passcookie = $_COOKIE[bb_get_option( 'passcookie' )];
     8    if (
     9        empty($usercookie) ||
     10        (!empty($usercookie) && !bb_check_login($usercookie, $passcookie, true))
     11    ) {
    912        nocache_headers();
    1013
     
    1922    global $bbdb;
    2023    $user = bb_user_sanitize( $user );
     24    if ($user == '') {
     25        return false;
     26    }
     27    $user = bb_get_user_by_name( $user );
     28   
    2129    if ( !$already_md5 ) {
    22         $pass = bb_user_sanitize( md5( $pass ) );
    23         return $bbdb->get_row("SELECT * FROM $bbdb->users WHERE user_login = '$user' AND SUBSTRING_INDEX( user_pass, '---', 1 ) = '$pass'");
     30        if ( wp_check_password($pass, $user->user_pass) ) {
     31            // If using old md5 password, rehash.
     32            if ( strlen($user->user_pass) <= 32 ) {
     33                $hash = wp_hash_password($pass);
     34                $bbdb->query("UPDATE $bbdb->users SET user_pass = '$hash' WHERE ID = '$user->ID'");
     35                global $bb_cache;
     36                $bb_cache->flush_one( 'user', $user->ID );
     37                $user = bb_get_user( $user->ID );
     38            }
     39           
     40            return $user;
     41        }
    2442    } else {
    25         return $bbdb->get_row("SELECT * FROM $bbdb->users WHERE user_login = '$user' AND MD5( user_pass ) = '$pass'");
    26     }
     43        if ( md5($user->user_pass) == $pass ) {
     44            return $user;
     45        }
     46    }
     47   
     48    return false;
    2749}
    2850endif;
     
    266288endif;
    267289
     290if ( !function_exists('wp_hash_password') ) : // [WP6350]
     291function wp_hash_password($password) {
     292    global $wp_hasher;
     293
     294    if ( empty($wp_hasher) ) {
     295        require_once( BBPATH . BBINC . 'class-phpass.php');
     296        // By default, use the portable hash from phpass
     297        $wp_hasher = new PasswordHash(8, TRUE);
     298    }
     299   
     300    return $wp_hasher->HashPassword($password);
     301}
     302endif;
     303
     304if ( !function_exists('wp_check_password') ) : // [WP6350]
     305function wp_check_password($password, $hash) {
     306    global $wp_hasher;
     307
     308    if ( strlen($hash) <= 32 )
     309        return ( $hash == md5($password) );
     310
     311    // If the stored hash is longer than an MD5, presume the
     312    // new style phpass portable hash.
     313    if ( empty($wp_hasher) ) {
     314        require_once( BBPATH . BBINC . 'class-phpass.php');
     315        // By default, use the portable hash from phpass
     316        $wp_hasher = new PasswordHash(8, TRUE);
     317    }
     318
     319    return $wp_hasher->CheckPassword($password, $hash);
     320}
     321endif;
     322
    268323if ( !function_exists('bb_check_admin_referer') ) :
    269324function bb_check_admin_referer( $action = -1 ) {
     
    342397    $now        = bb_current_time('mysql');
    343398    $password   = bb_random_pass();
    344     $passcrypt  = md5( $password );
     399    $passcrypt  = wp_hash_password( $password );
    345400
    346401    if ( !$user_login || !$email )
  • trunk/bb-includes/registration-functions.php

    r927 r972  
    8585    $user_id = (int) $user_id;
    8686
    87     $passhash = md5( $password );
     87    $passhash = wp_hash_password( $password );
    8888
    8989    $bbdb->query("UPDATE $bbdb->users SET
  • trunk/profile-edit.php

    r903 r972  
    103103            $_POST['pass1'] = addslashes($_POST['pass1']);
    104104            bb_update_user_password( $user->ID, $_POST['pass1'] );
    105             if ( $bb_current_id == $user->ID )
    106                 bb_cookie( bb_get_option( 'passcookie' ), md5( md5( $_POST['pass1'] ) ) ); // One week
     105            if ( $bb_current_id == $user->ID ) {
     106                $user = bb_get_user( $user->ID );
     107                bb_cookie( bb_get_option( 'passcookie' ), md5( $user->user_pass ) ); // One week
     108            }
    107109        endif;
    108110       
Note: See TracChangeset for help on using the changeset viewer.