From 79afc23396b43b53af62908f04f528f515bde978 Mon Sep 17 00:00:00 2001 From: Florent Bruneau Date: Fri, 26 Sep 2008 08:35:12 +0200 Subject: [PATCH] Don't send transition data if new_pass === old_pass. Signed-off-by: Florent Bruneau --- classes/xorgsession.php | 3 ++- htdocs/javascript/do_challenge_response.js | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/classes/xorgsession.php b/classes/xorgsession.php index 3f7b5dd..05c2207 100644 --- a/classes/xorgsession.php +++ b/classes/xorgsession.php @@ -79,7 +79,8 @@ class XorgSession extends PlSession if (list($uid, $password) = $res->fetchOneRow()) { require_once 'secure_hash.inc.php'; $expected_response = hash_encrypt("$uname:$password:" . S::v('challenge')); - if ($response != $expected_response) { + if ($response != $expected_response && Env::has('xorpass') + && !preg_match('/^0*$/', Env::v('xorpass'))) { $new_password = hash_xor(Env::v('xorpass'), $password); $expected_response = hash_encrypt("$uname:$new_password:" . S::v('challenge')); if ($response == $expected_response) { diff --git a/htdocs/javascript/do_challenge_response.js b/htdocs/javascript/do_challenge_response.js index 0a9c94d..1156c0b 100644 --- a/htdocs/javascript/do_challenge_response.js +++ b/htdocs/javascript/do_challenge_response.js @@ -51,7 +51,9 @@ function doChallengeResponse() { document.forms.loginsub.challenge.value; document.forms.loginsub.response.value = hash_encrypt(str); - document.forms.loginsub.xorpass.value = hash_xor(new_pass, old_pass); + if (new_pass != old_pass) { + document.forms.loginsub.xorpass.value = hash_xor(new_pass, old_pass); + } document.forms.loginsub.username.value = document.forms.login.username.value; document.forms.loginsub.remember.value = document.forms.login.remember.checked; document.forms.loginsub.domain.value = document.forms.login.domain.value; -- 2.1.4