Merged branch origin/master

This commit is contained in:
Igor Scheller 2017-01-02 02:21:30 +01:00
commit 84f6990db2
6 changed files with 24 additions and 20 deletions

View File

@ -22,12 +22,12 @@ $LETZTES_AUSTRAGEN = 3;
// Falls ein Benutzerpasswort in einem anderen Format gespeichert ist, // Falls ein Benutzerpasswort in einem anderen Format gespeichert ist,
// wird es bei der ersten Benutzung des Klartext-Passworts in das neue Format // wird es bei der ersten Benutzung des Klartext-Passworts in das neue Format
// konvertiert. // konvertiert.
// define('CRYPT_ALG', '$1'); // MD5 // $crypt_alg = '$1'; // MD5
// define('CRYPT_ALG', '$2y$13'); // Blowfish // $crypt_alg = '$2y$13'; // Blowfish
// define('CRYPT_ALG', '$5$rounds=5000'); // SHA-256 // $crypt_alg = '$5$rounds=5000'; // SHA-256
define('CRYPT_ALG', '$6$rounds=5000'); // SHA-512 $crypt_alg = '$6$rounds=5000'; // SHA-512
define('MIN_PASSWORD_LENGTH', 8); $min_password_length = 8;
// Wenn Engel beim Registrieren oder in ihrem Profil eine T-Shirt Größe angeben sollen, auf true setzen: // Wenn Engel beim Registrieren oder in ihrem Profil eine T-Shirt Größe angeben sollen, auf true setzen:
$enable_tshirt_size = true; $enable_tshirt_size = true;

View File

@ -211,6 +211,7 @@ function users_list_controller() {
* Second step of password recovery: set a new password using the token link from email * Second step of password recovery: set a new password using the token link from email
*/ */
function user_password_recovery_set_new_controller() { function user_password_recovery_set_new_controller() {
global $min_password_length;
$user_source = User_by_password_recovery_token($_REQUEST['token']); $user_source = User_by_password_recovery_token($_REQUEST['token']);
if ($user_source == null) { if ($user_source == null) {
error(_("Token is not correct.")); error(_("Token is not correct."));
@ -220,7 +221,7 @@ function user_password_recovery_set_new_controller() {
if (isset($_REQUEST['submit'])) { if (isset($_REQUEST['submit'])) {
$valid = true; $valid = true;
if (isset($_REQUEST['password']) && strlen($_REQUEST['password']) >= MIN_PASSWORD_LENGTH) { if (isset($_REQUEST['password']) && strlen($_REQUEST['password']) >= $min_password_length) {
if ($_REQUEST['password'] != $_REQUEST['password2']) { if ($_REQUEST['password'] != $_REQUEST['password2']) {
$valid = false; $valid = false;
error(_("Your passwords don't match.")); error(_("Your passwords don't match."));

View File

@ -26,14 +26,14 @@ function locale_short() {
function gettext_init() { function gettext_init() {
global $locales, $default_locale; global $locales, $default_locale;
if (isset($_REQUEST['set_locale']) && in_array($_REQUEST['set_locale'], array_keys($locales))) { if (isset($_REQUEST['set_locale']) && isset($locales[$_REQUEST['set_locale']])) {
$_SESSION['locale'] = $_REQUEST['set_locale']; $_SESSION['locale'] = $_REQUEST['set_locale'];
} elseif (! isset($_SESSION['locale'])) { } elseif (! isset($_SESSION['locale'])) {
$_SESSION['locale'] = $default_locale; $_SESSION['locale'] = $default_locale;
} }
gettext_locale(); gettext_locale();
bindtextdomain('default', __DIR__ . '../../locale'); bindtextdomain('default', realpath(__DIR__ . '/../../locale'));
bind_textdomain_codeset('default', 'UTF-8'); bind_textdomain_codeset('default', 'UTF-8');
textdomain('default'); textdomain('default');
} }

View File

@ -14,7 +14,7 @@ function logout_title() {
// Engel registrieren // Engel registrieren
function guest_register() { function guest_register() {
global $tshirt_sizes, $enable_tshirt_size, $default_theme, $user; global $tshirt_sizes, $enable_tshirt_size, $default_theme, $user, $min_password_length;
$event_config = EventConfig(); $event_config = EventConfig();
@ -96,14 +96,14 @@ function guest_register() {
} }
} }
if (isset($_REQUEST['password']) && strlen($_REQUEST['password']) >= MIN_PASSWORD_LENGTH) { if (isset($_REQUEST['password']) && strlen($_REQUEST['password']) >= $min_password_length) {
if ($_REQUEST['password'] != $_REQUEST['password2']) { if ($_REQUEST['password'] != $_REQUEST['password2']) {
$valid = false; $valid = false;
$msg .= error(_("Your passwords don't match."), true); $msg .= error(_("Your passwords don't match."), true);
} }
} else { } else {
$valid = false; $valid = false;
$msg .= error(sprintf(_("Your password is too short (please use at least %s characters)."), MIN_PASSWORD_LENGTH), true); $msg .= error(sprintf(_("Your password is too short (please use at least %s characters)."), $min_password_length), true);
} }
if (isset($_REQUEST['planned_arrival_date'])) { if (isset($_REQUEST['planned_arrival_date'])) {

View File

@ -88,9 +88,10 @@ function user_settings_main($user_source, $enable_tshirt_size, $tshirt_sizes) {
* The user * The user
*/ */
function user_settings_password($user_source) { function user_settings_password($user_source) {
global $min_password_length;
if (! isset($_REQUEST['password']) || ! verify_password($_REQUEST['password'], $user_source['Passwort'], $user_source['UID'])) { if (! isset($_REQUEST['password']) || ! verify_password($_REQUEST['password'], $user_source['Passwort'], $user_source['UID'])) {
error(_("-> not OK. Please try again.")); error(_("-> not OK. Please try again."));
} elseif (strlen($_REQUEST['new_password']) < MIN_PASSWORD_LENGTH) { } elseif (strlen($_REQUEST['new_password']) < $min_password_length) {
error(_("Your password is to short (please use at least 6 characters).")); error(_("Your password is to short (please use at least 6 characters)."));
} elseif ($_REQUEST['new_password'] != $_REQUEST['new_password2']) { } elseif ($_REQUEST['new_password'] != $_REQUEST['new_password2']) {
error(_("Your passwords don't match.")); error(_("Your passwords don't match."));

View File

@ -39,7 +39,8 @@ function generate_salt($length = 16) {
* set the password of a user * set the password of a user
*/ */
function set_password($uid, $password) { function set_password($uid, $password) {
$result = sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1"); global $crypt_alg;
$result = sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, $crypt_alg . '$' . generate_salt(16) . '$')) . "', `password_recovery_token`=NULL WHERE `UID` = " . intval($uid) . " LIMIT 1");
if ($result === false) { if ($result === false) {
engelsystem_error('Unable to update password.'); engelsystem_error('Unable to update password.');
} }
@ -51,6 +52,7 @@ function set_password($uid, $password) {
* if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically * if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically
*/ */
function verify_password($password, $salt, $uid = false) { function verify_password($password, $salt, $uid = false) {
global $crypt_alg;
$correct = false; $correct = false;
if (substr($salt, 0, 1) == '$') { // new-style crypt() if (substr($salt, 0, 1) == '$') { // new-style crypt()
$correct = crypt($password, $salt) == $salt; $correct = crypt($password, $salt) == $salt;
@ -60,11 +62,11 @@ function verify_password($password, $salt, $uid = false) {
$correct = md5($password) == $salt; $correct = md5($password) == $salt;
} }
if ($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) { if ($correct && substr($salt, 0, strlen($crypt_alg)) != $crypt_alg && $uid) {
// this password is stored in another format than we want it to be. // this password is stored in another format than we want it to be.
// let's update it! // let's update it!
// we duplicate the query from the above set_password() function to have the extra safety of checking the old hash // we duplicate the query from the above set_password() function to have the extra safety of checking the old hash
sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt() . '$')) . "' WHERE `UID` = " . intval($uid) . " AND `Passwort` = '" . sql_escape($salt) . "' LIMIT 1"); sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, $crypt_alg . '$' . generate_salt() . '$')) . "' WHERE `UID` = " . intval($uid) . " AND `Passwort` = '" . sql_escape($salt) . "' LIMIT 1");
} }
return $correct; return $correct;
} }