From: Florent Bruneau Date: Fri, 26 Sep 2008 06:35:12 +0000 (+0200) Subject: Don't send transition data if new_pass === old_pass. X-Git-Tag: xorg/0.10.0~96 X-Git-Url: http://git.polytechnique.org/?a=commitdiff_plain;h=79afc233;p=platal.git Don't send transition data if new_pass === old_pass. Signed-off-by: Florent Bruneau --- diff --git a/classes/xorgsession.php b/classes/xorgsession.php index 3f7b5dd..05c2207 100644 --- a/classes/xorgsession.php +++ b/classes/xorgsession.php @@ -79,7 +79,8 @@ class XorgSession extends PlSession if (list($uid, $password) = $res->fetchOneRow()) { require_once 'secure_hash.inc.php'; $expected_response = hash_encrypt("$uname:$password:" . S::v('challenge')); - if ($response != $expected_response) { + if ($response != $expected_response && Env::has('xorpass') + && !preg_match('/^0*$/', Env::v('xorpass'))) { $new_password = hash_xor(Env::v('xorpass'), $password); $expected_response = hash_encrypt("$uname:$new_password:" . S::v('challenge')); if ($response == $expected_response) { diff --git a/htdocs/javascript/do_challenge_response.js b/htdocs/javascript/do_challenge_response.js index 0a9c94d..1156c0b 100644 --- a/htdocs/javascript/do_challenge_response.js +++ b/htdocs/javascript/do_challenge_response.js @@ -51,7 +51,9 @@ function doChallengeResponse() { document.forms.loginsub.challenge.value; document.forms.loginsub.response.value = hash_encrypt(str); - document.forms.loginsub.xorpass.value = hash_xor(new_pass, old_pass); + if (new_pass != old_pass) { + document.forms.loginsub.xorpass.value = hash_xor(new_pass, old_pass); + } document.forms.loginsub.username.value = document.forms.login.username.value; document.forms.loginsub.remember.value = document.forms.login.remember.checked; document.forms.loginsub.domain.value = document.forms.login.domain.value;