* Carnet :
- #414: Link to users' fiche go to private fiche and not public. -Car
+ * Core :
+ - #375: Use SHA1 instead of MD5 for password encryption. -Car
+
* Events :
- #268: Hide read events. -Car
- #391: Go back to top link at end of each event. -Car
<?php
+/***************************************************************************
+ * Copyright (C) 2003-2006 Polytechnique.org *
+ * http://opensource.polytechnique.org/ *
+ * *
+ * This program is free software; you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation; either version 2 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * This program is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with this program; if not, write to the Free Software *
+ * Foundation, Inc., *
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
+ ***************************************************************************/
function tmp_menu()
{
$globals->menu->addPrivateEntry(XOM_CUSTOM, 10, 'Mon profil', 'profil.php');
$globals->menu->addPrivateEntry(XOM_CUSTOM, 20, 'Mes contacts', 'carnet/mescontacts.php');
$globals->menu->addPrivateEntry(XOM_CUSTOM, 30, 'Mon carnet', 'carnet/');
- $globals->menu->addPrivateEntry(XOM_CUSTOM, 40, 'Mon mot de passe', 'motdepassemd5.php');
+ $globals->menu->addPrivateEntry(XOM_CUSTOM, 40, 'Mon mot de passe', 'motdepasse.php');
$globals->menu->addPrivateEntry(XOM_CUSTOM, 50, 'Mes préférences', 'preferences.php');
$globals->menu->addPrivateEntry(XOM_GROUPS, 10, 'Trombi/Site promo', 'trombipromo.php');
// Editer un profil
case "u_edit":
- $pass_md5B = Env::get('newpass_clair') != "********" ? md5(Env::get('newpass_clair')) : Env::get('passw');
- $naiss = Env::get('naissanceN');
- $perms = Env::get('permsN');
- $prenm = Env::get('prenomN');
- $nom = Env::get('nomN');
- $promo = Env::getInt('promoN');
- $sexe = Env::get('sexeN');
- $comm = Env::get('commentN');
-
- $query = "UPDATE auth_user_md5 SET
- naissance = '$naiss',
- password = '$pass_md5B',
- perms = '$perms',
- prenom = '".addslashes($prenm)."',
- nom = '".addslashes($nom)."',
- flags = '$sexe',
- promo = $promo,
- comment = '".addslashes($comm)."'
- WHERE user_id = '{$mr['user_id']}'";
- if ($globals->xdb->execute($query)) {
+ require_once('secure_hash.inc.php');
+ $pass_encrypted = Env::get('newpass_clair') != "********" ? hash_encrypt(Env::get('newpass_clair')) : Env::get('passw');
+ $naiss = Env::get('naissanceN');
+ $perms = Env::get('permsN');
+ $prenm = Env::get('prenomN');
+ $nom = Env::get('nomN');
+ $promo = Env::getInt('promoN');
+ $sexe = Env::get('sexeN');
+ $comm = Env::get('commentN');
+
+ $query = "UPDATE auth_user_md5 SET
+ naissance = '$naiss',
+ password = '$pass_encrypted',
+ perms = '$perms',
+ prenom = '".addslashes($prenm)."',
+ nom = '".addslashes($nom)."',
+ flags = '$sexe',
+ promo = $promo,
+ comment = '".addslashes($comm)."'
+ WHERE user_id = '{$mr['user_id']}'";
+ if ($globals->xdb->execute($query)) {
user_reindex($mr['user_id']);
require_once("diogenes/diogenes.hermes.inc.php");
require_once('nomusage.inc.php');
set_new_usage($mr['user_id'], Env::get('nomusageN'), make_username(Env::get('prenomN'), Env::get('nomusageN')));
}
- $r = $globals->xdb->query("SELECT *, a.alias AS forlife, u.flags AS sexe
+ $r = $globals->xdb->query("SELECT *, a.alias AS forlife, u.flags AS sexe
FROM auth_user_md5 AS u
INNER JOIN aliases AS a ON (u.user_id=a.id)
WHERE user_id = {?}", $mr['user_id']);
$mr = $r->fetchOneAssoc();
- break;
+ break;
// DELETE FROM auth_user_md5
case "u_kill":
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
***************************************************************************/
+document.write('<script language="javascript" src="javascript/secure_hash.js"></script>');
+
function correctUserName() {
var u = document.forms.login.username;
// login with no space
if (!correctUserName()) return false;
+ var new_pass = hash_encrypt(document.forms.login.password.value);
+ var old_pass = MD5(document.forms.login.password.value);
+
str = document.forms.login.username.value + ":" +
- MD5(document.forms.login.password.value) + ":" +
+ new_pass + ":" +
document.forms.loginsub.challenge.value;
- document.forms.loginsub.response.value = MD5(str);
+ document.forms.loginsub.response.value = hash_encrypt(str);
+ document.forms.loginsub.xorpass.value = hash_xor(new_pass, old_pass);
document.forms.loginsub.username.value = document.forms.login.username.value;
document.forms.loginsub.remember.value = document.forms.login.remember.checked;
document.forms.loginsub.domain.value = document.forms.login.domain.value;
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
***************************************************************************/
+document.write('<script language="javascript" src="javascript/secure_hash.js"></script>');
+
function readCookie(name)
{
var nameEQ = name + "=";
function doChallengeResponse() {
+ var new_pass = hash_encrypt(document.forms.login.password.value);
+ var old_pass = MD5(document.forms.login.password.value);
+
str = readCookie('ORGuid') + ":" +
- MD5(document.forms.login.password.value) + ":" +
+ hash_encrypt(document.forms.login.password.value) + ":" +
document.forms.loginsub.challenge.value;
- document.forms.loginsub.response.value = MD5(str);
+ document.forms.loginsub.response.value = hash_encrypt(str);
+ document.forms.loginsub.xorpass.value = hash_xor(new_pass, old_pass);
document.forms.loginsub.remember.value = document.forms.login.remember.checked;
document.forms.login.password.value = "";
document.forms.loginsub.submit();
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
***************************************************************************/
+document.write('<script language="javascript" src="javascript/secure_hash.js"></script>');
+
function EnCryptedResponse() {
pw1 = document.forms.changepass.nouveau.value;
pw2 = document.forms.changepass.nouveau2.value;
return false;
exit;
}
- str = MD5(document.forms.changepass.nouveau.value);
+ str = hash_encrypt(document.forms.changepass.nouveau.value);
document.forms.changepass2.response2.value = str;
alert ("Le mot de passe que tu as rentré va être chiffré avant de nous parvenir par Internet ! Ainsi il ne circulera pas en clair.");
document.forms.changepass2.submit();
--- /dev/null
+/***************************************************************************\r
+ * Copyright (C) 2003-2006 Polytechnique.org *\r
+ * http://opensource.polytechnique.org/ *\r
+ * *\r
+ * This program is free software; you can redistribute it and/or modify *\r
+ * it under the terms of the GNU General Public License as published by *\r
+ * the Free Software Foundation; either version 2 of the License, or *\r
+ * (at your option) any later version. *\r
+ * *\r
+ * This program is distributed in the hope that it will be useful, *\r
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *\r
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *\r
+ * GNU General Public License for more details. *\r
+ * *\r
+ * You should have received a copy of the GNU General Public License *\r
+ * along with this program; if not, write to the Free Software *\r
+ * Foundation, Inc., *\r
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *\r
+ ***************************************************************************/\r
+\r
+document.write('<script language="javascript" src="javascript/md5.js"></script>');\r
+document.write('<script language="javascript" src="javascript/sha1.js"></script>');\r
+\r
+function hash_encrypt(a) {\r
+ return hex_sha1(a);\r
+}\r
+\r
+var hexa_h = "0123456789abcdef";\r
+\r
+function dechex(a) {\r
+ return hexa_h.charAt(a);\r
+}\r
+\r
+function hexdec(a) {\r
+ return hexa_h.indexOf(a);\r
+}\r
+\r
+function hash_xor(a, b) {\r
+ var c,i,j,k;\r
+ c = "";\r
+ i = a.length;\r
+ j = b.length;\r
+ if (i < j) {\r
+ var d;\r
+ d = a; a = b; b = d;\r
+ k = i; i = j; j = k;\r
+ }\r
+ for (k = 0; k < j; k++)\r
+ c += dechex(hexdec(a.charAt(k)) ^ hexdec(b.charAt(k)));\r
+ for (; k < i; k++)\r
+ c += a.charAt(k);\r
+ return c;\r
+}\r
--- /dev/null
+/*\r
+ * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined\r
+ * in FIPS PUB 180-1\r
+ * Version 2.1a Copyright Paul Johnston 2000 - 2002.\r
+ * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet\r
+ * Distributed under the BSD License\r
+ * See http://pajhome.org.uk/crypt/md5 for details.\r
+ */\r
+\r
+/*\r
+ * Configurable variables. You may need to tweak these to be compatible with\r
+ * the server-side, but the defaults work in most cases.\r
+ */\r
+var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */\r
+var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */\r
+var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */\r
+\r
+/*\r
+ * These are the functions you'll usually want to call\r
+ * They take string arguments and return either hex or base-64 encoded strings\r
+ */\r
+function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}\r
+function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}\r
+function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}\r
+function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}\r
+function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}\r
+function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}\r
+\r
+/*\r
+ * Perform a simple self-test to see if the VM is working\r
+ */\r
+function sha1_vm_test()\r
+{\r
+ return hex_sha1("abc") == "a9993e364706816aba3e25717850c26c9cd0d89d";\r
+}\r
+\r
+/*\r
+ * Calculate the SHA-1 of an array of big-endian words, and a bit length\r
+ */\r
+function core_sha1(x, len)\r
+{\r
+ /* append padding */\r
+ x[len >> 5] |= 0x80 << (24 - len % 32);\r
+ x[((len + 64 >> 9) << 4) + 15] = len;\r
+\r
+ var w = Array(80);\r
+ var a = 1732584193;\r
+ var b = -271733879;\r
+ var c = -1732584194;\r
+ var d = 271733878;\r
+ var e = -1009589776;\r
+\r
+ for(var i = 0; i < x.length; i += 16)\r
+ {\r
+ var olda = a;\r
+ var oldb = b;\r
+ var oldc = c;\r
+ var oldd = d;\r
+ var olde = e;\r
+\r
+ for(var j = 0; j < 80; j++)\r
+ {\r
+ if(j < 16) w[j] = x[i + j];\r
+ else w[j] = rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);\r
+ var t = safe_add(safe_add(rol(a, 5), sha1_ft(j, b, c, d)),\r
+ safe_add(safe_add(e, w[j]), sha1_kt(j)));\r
+ e = d;\r
+ d = c;\r
+ c = rol(b, 30);\r
+ b = a;\r
+ a = t;\r
+ }\r
+\r
+ a = safe_add(a, olda);\r
+ b = safe_add(b, oldb);\r
+ c = safe_add(c, oldc);\r
+ d = safe_add(d, oldd);\r
+ e = safe_add(e, olde);\r
+ }\r
+ return Array(a, b, c, d, e);\r
+\r
+}\r
+\r
+/*\r
+ * Perform the appropriate triplet combination function for the current\r
+ * iteration\r
+ */\r
+function sha1_ft(t, b, c, d)\r
+{\r
+ if(t < 20) return (b & c) | ((~b) & d);\r
+ if(t < 40) return b ^ c ^ d;\r
+ if(t < 60) return (b & c) | (b & d) | (c & d);\r
+ return b ^ c ^ d;\r
+}\r
+\r
+/*\r
+ * Determine the appropriate additive constant for the current iteration\r
+ */\r
+function sha1_kt(t)\r
+{\r
+ return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 :\r
+ (t < 60) ? -1894007588 : -899497514;\r
+}\r
+\r
+/*\r
+ * Calculate the HMAC-SHA1 of a key and some data\r
+ */\r
+function core_hmac_sha1(key, data)\r
+{\r
+ var bkey = str2binb(key);\r
+ if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);\r
+\r
+ var ipad = Array(16), opad = Array(16);\r
+ for(var i = 0; i < 16; i++)\r
+ {\r
+ ipad[i] = bkey[i] ^ 0x36363636;\r
+ opad[i] = bkey[i] ^ 0x5C5C5C5C;\r
+ }\r
+\r
+ var hash = core_sha1(ipad.concat(str2binb(data)), 512 + data.length * chrsz);\r
+ return core_sha1(opad.concat(hash), 512 + 160);\r
+}\r
+\r
+/*\r
+ * Add integers, wrapping at 2^32. This uses 16-bit operations internally\r
+ * to work around bugs in some JS interpreters.\r
+ */\r
+function safe_add(x, y)\r
+{\r
+ var lsw = (x & 0xFFFF) + (y & 0xFFFF);\r
+ var msw = (x >> 16) + (y >> 16) + (lsw >> 16);\r
+ return (msw << 16) | (lsw & 0xFFFF);\r
+}\r
+\r
+/*\r
+ * Bitwise rotate a 32-bit number to the left.\r
+ */\r
+function rol(num, cnt)\r
+{\r
+ return (num << cnt) | (num >>> (32 - cnt));\r
+}\r
+\r
+/*\r
+ * Convert an 8-bit or 16-bit string to an array of big-endian words\r
+ * In 8-bit function, characters >255 have their hi-byte silently ignored.\r
+ */\r
+function str2binb(str)\r
+{\r
+ var bin = Array();\r
+ var mask = (1 << chrsz) - 1;\r
+ for(var i = 0; i < str.length * chrsz; i += chrsz)\r
+ bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i%32);\r
+ return bin;\r
+}\r
+\r
+/*\r
+ * Convert an array of big-endian words to a string\r
+ */\r
+function binb2str(bin)\r
+{\r
+ var str = "";\r
+ var mask = (1 << chrsz) - 1;\r
+ for(var i = 0; i < bin.length * 32; i += chrsz)\r
+ str += String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i%32)) & mask);\r
+ return str;\r
+}\r
+\r
+/*\r
+ * Convert an array of big-endian words to a hex string.\r
+ */\r
+function binb2hex(binarray)\r
+{\r
+ var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";\r
+ var str = "";\r
+ for(var i = 0; i < binarray.length * 4; i++)\r
+ {\r
+ str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) +\r
+ hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);\r
+ }\r
+ return str;\r
+}\r
+\r
+/*\r
+ * Convert an array of big-endian words to a base-64 string\r
+ */\r
+function binb2b64(binarray)\r
+{\r
+ var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";\r
+ var str = "";\r
+ for(var i = 0; i < binarray.length * 4; i += 3)\r
+ {\r
+ var triplet = (((binarray[i >> 2] >> 8 * (3 - i %4)) & 0xFF) << 16)\r
+ | (((binarray[i+1 >> 2] >> 8 * (3 - (i+1)%4)) & 0xFF) << 8 )\r
+ | ((binarray[i+2 >> 2] >> 8 * (3 - (i+2)%4)) & 0xFF);\r
+ for(var j = 0; j < 4; j++)\r
+ {\r
+ if(i * 8 + j * 6 > binarray.length * 32) str += b64pad;\r
+ else str += tab.charAt((triplet >> 6*(3-j)) & 0x3F);\r
+ }\r
+ }\r
+ return str;\r
+}\r
require_once('xorg.inc.php');
if (Env::has('response2')) {
+ require_once('secure_hash.inc.php');
$_SESSION['password'] = $password = Post::get('response2');
$globals->xdb->execute('UPDATE auth_user_md5 SET password={?} WHERE user_id={?}', $password, Session::getInt('uid'));
$log->log('passwd', '');
if (Cookie::get('ORGaccess')) {
- setcookie('ORGaccess', md5($password), (time()+25920000), '/', '' ,0);
+ setcookie('ORGaccess', hash_encrypt($password), (time()+25920000), '/', '' ,0);
}
- new_skinned_page('motdepassemd5.success.tpl', AUTH_MDP);
+ new_skinned_page('motdepasse.success.tpl', AUTH_MDP);
$page->run();
}
-new_skinned_page('motdepassemd5.tpl', AUTH_MDP);
-$page->addJsLink('javascript/md5.js');
-$page->addJsLink('javascript/motdepassemd5.js');
+new_skinned_page('motdepasse.tpl', AUTH_MDP);
+$page->addJsLink('javascript/motdepasse.js');
$page->assign('xorg_title','Polytechnique.org - Mon mot de passe');
$page->run();
?>
$log->log('passwd', '');
if (Cookie::get('ORGaccess')) {
- setcookie('ORGaccess', md5($password), (time()+25920000), '/', '' ,0);
+ require_once('secure_hash.inc.php');
+ setcookie('ORGaccess', hash_encrypt($password), (time()+25920000), '/', '' ,0);
}
$page->assign('mdpok', true);
}
-$page->addJsLink('javascript/md5.js');
-$page->addJsLink('javascript/motdepassemd5.js');
+$page->addJsLink('javascript/motdepasse.js');
$page->run();
?>
new_skinned_page('tmpPWD.success.tpl', AUTH_PUBLIC);
$page->run();
} else {
- new_skinned_page('motdepassemd5.tpl', AUTH_PUBLIC);
- $page->addJsLink('javascript/md5.js');
- $page->addJsLink('javascript/motdepassemd5.js');
+ new_skinned_page('motdepasse.tpl', AUTH_PUBLIC);
+ $page->addJsLink('javascript/motdepasse.js');
$page->run();
}
} else {
// Liens apparaissant toujours
$pub_tjs = array(
- "motdepassemd5.php" => "Changer mon mot de passe" ,
+ "motdepasse.php" => "Changer mon mot de passe" ,
"dons.php" => "Faire un don à l'association Polytechnique.org"
) ;
return false;
}
+ require_once('secure_hash.inc.php');
+
$hash = rand_url_id(12);
$pass = rand_pass();
- $pass_md5 = md5($pass);
+ $pass_encrypted = hash_encrypt($pass);
$fdate = strftime('%d %B %Y', strtotime($date));
$mymail = new XOrgMailer('marketing.relance.tpl');
$mymail->assign('lemail', $email);
$mymail->assign('subj', $alias.'@'.$globals->mail->domain);
$mymail->send();
- $globals->xdb->execute('UPDATE register_pending SET hash={?}, password={?}, relance=NOW() WHERE uid={?}', $hash, $pass_md5, $uid);
+ $globals->xdb->execute('UPDATE register_pending SET hash={?}, password={?}, relance=NOW() WHERE uid={?}', $hash, $pass_encrypted, $uid);
return "$prenom $nom ($promo)";
}
{
global $globals;
extract($sub_state);
+ require_once('secure_hash.inc.php');
$pass = rand_pass();
- $pass_md5 = md5($pass_clair);
+ $pass_encrypted = hash_encrypt($pass_clair);
$hash = rand_url_id(12);
$globals->xdb->execute('UPDATE auth_user_md5 SET last_known_email={?} WHERE matricule = {?}', $email, $mat);
$globals->xdb->execute(
"REPLACE INTO register_pending (uid, forlife, bestalias, mailorg2, password, email, date, relance, naissance, hash)
VALUES ({?}, {?}, {?}, {?}, {?}, {?}, NOW(), 0, {?}, {?})",
- $uid, $forlife, $bestalias, $mailorg2, $pass_md5, $email, $naissance, $hash);
+ $uid, $forlife, $bestalias, $mailorg2, $pass_encrypted, $email, $naissance, $hash);
require_once('xorg.mailer.inc.php');
$mymail = new XOrgMailer('inscrire.mail.tpl');
--- /dev/null
+<?php
+/***************************************************************************
+ * Copyright (C) 2003-2006 Polytechnique.org *
+ * http://opensource.polytechnique.org/ *
+ * *
+ * This program is free software; you can redistribute it and/or modify *
+ * it under the terms of the GNU General Public License as published by *
+ * the Free Software Foundation; either version 2 of the License, or *
+ * (at your option) any later version. *
+ * *
+ * This program is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
+ * GNU General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU General Public License *
+ * along with this program; if not, write to the Free Software *
+ * Foundation, Inc., *
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
+ ***************************************************************************/
+
+function hash_encrypt($s) {
+ return sha1($s);
+}
+
+function hash_xor($a, $b) {
+ $c = "";
+ $i = strlen($a);
+ $j = strlen($b);
+ if ($i < $j) {
+ $d = $a; $a = $b; $b = $d;
+ $k = $i; $i = $j; $j = $k;
+ }
+ for ($k = 0; $k < $j; $k++)
+ $c .= dechex(hexdec($a{$k}) ^ hexdec($b{$k}));
+ for (; $k < $i; $k++)
+ $c .= $a{$k};
+ return $c;
+}
+
+?>
\ No newline at end of file
*/
function doAuth(&$page,$new_name=false)
{
- global $globals;
- if (identified()) { // ok, c'est bon, on n'a rien à faire
- return true;
- }
+ global $globals;
+ if (identified()) { // ok, c'est bon, on n'a rien à faire
+ return true;
+ }
if (Session::has('session')) {
$session =& Session::getMixed('session');
}
if (Env::has('username') && Env::has('response') && isset($session->challenge))
- {
- // si on vient de recevoir une identification par passwordpromptscreen.tpl
- // ou passwordpromptscreenlogged.tpl
+ {
+ // si on vient de recevoir une identification par passwordpromptscreen.tpl
+ // ou passwordpromptscreenlogged.tpl
$uname = Env::get('username');
if (Env::get('domain') == "alias") {
} else {
$login = $uname;
}
-
- $field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias';
- $res = $globals->xdb->query(
- "SELECT u.user_id, u.password
- FROM auth_user_md5 AS u
- INNER JOIN aliases AS a ON ( a.id=u.user_id AND type!='homonyme' )
- WHERE a.$field = {?} AND u.perms IN('admin','user')", $login);
-
+
+ $field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias';
+ $res = $globals->xdb->query(
+ "SELECT u.user_id, u.password
+ FROM auth_user_md5 AS u
+ INNER JOIN aliases AS a ON ( a.id=u.user_id AND type!='homonyme' )
+ WHERE a.$field = {?} AND u.perms IN('admin','user')", $login);
+
$logger =& Session::getMixed('log');
-
- if (list($uid, $password) = $res->fetchOneRow()) {
- $expected_response=md5("$uname:$password:{$session->challenge}");
- if (Env::get('response') == $expected_response) {
+ if (list($uid, $password) = $res->fetchOneRow()) {
+ require_once('secure_hash.inc.php');
+ $expected_response=hash_encrypt("$uname:$password:{$session->challenge}");
+ // le password de la base est peut-être encore encodé en md5
+ if (Env::get('response') != $expected_response) {
+ $new_password = hash_xor(Env::get('xorpass'), $password);
+ $expected_response = hash_encrypt("$uname:$new_password:{$session->challenge}");
+ if (Env::get('response') == $expected_response) {
+ $globals->xdb->execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}", $new_password, $uid);
+ }
+ }
+ if (Env::get('response') == $expected_response) {
if (Env::has('domain')) {
if (($domain = Env::get('domain', 'login')) == 'alias') {
setcookie('ORGdomain', "alias", (time()+25920000), '/', '', 0);
// pour que la modification soit effective dans le reste de la page
$_COOKIE['ORGdomain'] = $domain;
}
-
- unset($session->challenge);
- if ($logger) {
- $logger->log('auth_ok');
+
+ unset($session->challenge);
+ if ($logger) {
+ $logger->log('auth_ok');
}
- start_connexion($uid, true);
+ start_connexion($uid, true);
if (Env::get('remember', 'false') == 'true') {
- $cookie = md5(Session::get('password'));
+ $cookie = hash_encrypt(Session::get('password'));
setcookie('ORGaccess',$cookie,(time()+25920000),'/','',0);
if ($logger) {
$logger->log("cookie_on");
$logger->log("cookie_off");
}
}
- return true;
- } elseif ($logger) {
+ return true;
+ } elseif ($logger) {
$logger->log('auth_fail','bad password');
}
- } elseif ($logger) {
- $logger->log('auth_fail','bad login');
+ } elseif ($logger) {
+ $logger->log('auth_fail','bad login');
}
- }
+ }
$this->doLogin($page,$new_name);
}
*/
function doLogin(&$page, $new_name=false)
{
- $page->addJsLink('javascript/md5.js');
+ $page->addJsLink('javascript/secure_hash.js');
if (logged() and !$new_name) {
$page->changeTpl('password_prompt_logged.tpl');
$page->addJsLink('javascript/do_challenge_response_logged.js');
);
if ($res->numRows() != 0) {
list($uid, $password) = $res->fetchOneRow();
- $expected_value = md5($password);
+ require_once('secure_hash.inc.php');
+ $expected_value = hash_encrypt($password);
if ($expected_value == Cookie::get('ORGaccess')) {
start_connexion($uid, false);
return 0;
htdocs/javascript/do_challenge_response.js
htdocs/javascript/md5.js
htdocs/javascript/xorg.js
-htdocs/motdepassemd5.php
+htdocs/motdepasse.php
htdocs/preferences.php
htdocs/recovery.php
htdocs/tmpPWD.php
templates/deconnexion.tpl
templates/index.tpl
templates/logger-view.tpl
-templates/motdepassemd5.success.tpl
-templates/motdepassemd5.tpl
+templates/motdepasse.success.tpl
+templates/motdepasse.tpl
templates/password_prompt_logged.tpl
templates/password_prompt.tpl
templates/preferences.tpl
<script type="text/javascript">
//<
projects / platal.git / commitdiff