From: x2000habouzit <x2000habouzit@839d8a87-29fc-0310-9880-83ba4fa771e5>
Date: Sun, 2 Jul 2006 12:34:10 +0000 (+0000)
Subject: don't be clever: let the hash go clear on the net, the user should use https, sorry... 
X-Git-Tag: xorg/0.9.10~20
X-Git-Url: http://git.polytechnique.org/?a=commitdiff_plain;h=e712b5fe324c1bda60f14988dd18f46934cfd47f;p=platal.git

don't be clever: let the hash go clear on the net, the user should use https, sorry for him.

but requesting the old password is:

(1) quite not very good as the user already typed it to change its password,
    so it looks like not very good design
(2) more than completely broken for people THAT LOST IT AND TRY TO GET IT BACK !?



git-svn-id: svn+ssh://murphy/home/svn/platal/branches/platal-0.9.10@354 839d8a87-29fc-0310-9880-83ba4fa771e5
---

diff --git a/htdocs/javascript/motdepasse.js b/htdocs/javascript/motdepasse.js
index 5e4c5c8..60c5e49 100644
--- a/htdocs/javascript/motdepasse.js
+++ b/htdocs/javascript/motdepasse.js
@@ -31,16 +31,10 @@ function EnCryptedResponse() {
             return false;
         exit;
     }
-    
-    old_pass = hash_encrypt(document.forms.changepass.ancien.value);
-    
-    str = old_pass + ":" +
-        document.forms.changepass.challenge.value;
-    document.forms.changepass2.response.value = hash_encrypt(str);
 
-    str = hash_xor(hash_encrypt(document.forms.changepass.nouveau.value), old_pass);
+    str = hash_encrypt(document.forms.changepass.nouveau.value);
     document.forms.changepass2.response2.value = str;
-    
+
     alert ("Le mot de passe que tu as rentré va être chiffré avant de nous parvenir par Internet ! Ainsi il ne circulera pas en clair.");
     document.forms.changepass2.submit();
     return true;
diff --git a/htdocs/motdepasse.php b/htdocs/motdepasse.php
index 1f79fb8..a590dd1 100644
--- a/htdocs/motdepasse.php
+++ b/htdocs/motdepasse.php
@@ -23,14 +23,7 @@ require_once('xorg.inc.php');
 
 if (Post::has('response2'))  {
     require_once('secure_hash.inc.php');
-    if (hash_encrypt($_SESSION['password'].":".$_SESSION['session']->challenge) != Post::get('response')) {
-        new_skinned_page('motdepasse.tpl', AUTH_MDP);
-        $page->addJsLink('javascript/motdepasse.js');
-        $page->assign('xorg_title','Polytechnique.org - Mon mot de passe');
-        $page->trig('Ancien mot de passe erronné');
-        $page->run();
-    }
-    $password = hash_xor(Post::get('response2'), $_SESSION['password']);
+    $password = Post::get('response2');
     $_SESSION['password'] = $password;
     
     $globals->xdb->execute('UPDATE auth_user_md5 SET password={?} WHERE user_id={?}', $password, Session::getInt('uid'));
diff --git a/templates/motdepasse.tpl b/templates/motdepasse.tpl
index f189d31..22a272d 100644
--- a/templates/motdepasse.tpl
+++ b/templates/motdepasse.tpl
@@ -44,15 +44,6 @@
     </tr>
     <tr>
       <td class="titre">
-        Ancien mot de passe :
-      </td>
-      <td>
-        <input type="hidden" name="challenge" value="{$smarty.session.session->challenge}" />
-        <input type="password" size="10" maxlength="10" name="ancien" />
-      </td>
-    </tr>
-    <tr>
-      <td class="titre">
         Nouveau mot de passe :
       </td>
       <td>
@@ -76,7 +67,6 @@
 </form>
 <form action="{$smarty.server.REQUEST_URI}" method="post" id="changepass2">
 <p>
-<input type="hidden" name="response"  value="" />
 <input type="hidden" name="response2"  value="" />
 </p>
 </form>