perdedora/leftypol
1
0
Fork 0
forked from leftypol/leftypol
Code Pull requests Activity

Merge branch 'user-passwd-hash-backport' into 'config'

Browse source 
User passwd hash backport

See merge request leftypol/leftypol!18
This commit is contained in:
Zankaria Auxa 2024-12-27 15:31:22 +00:00
commit 1249fd765e
7 changed files with 38 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
inc/config.php
View file

@ -200,6 +200,9 @@
// Used to salt secure tripcodes ("##trip") and poster IDs (if enabled). // Used to salt secure tripcodes ("##trip") and poster IDs (if enabled).
$config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba'; $config['secure_trip_salt'] = ')(*&^%$#@!98765432190zyxwvutsrqponmlkjihgfedcba';
// Used to salt poster passwords.
$config['secure_password_salt'] = 'wKJSb7M5SyzMcFWD2gPO3j2RYUSO9B789!@#$%^&*()';
/* /*
* ==================== * ====================
* Flood/spam settings * Flood/spam settings

5
inc/functions.php
View file

@ -3082,3 +3082,8 @@ function strategy_first($fun, $array) {
return array('defer'); return array('defer');
} }
} }
function hashPassword($password) {
global $config;
return hash('sha3-256', $password . $config['secure_password_salt']);
}

1
install.php
View file

@ -881,6 +881,7 @@ if ($step == 0) {
$config['cookies']['salt'] = substr(base64_encode(sha1(rand())), 0, 30); $config['cookies']['salt'] = substr(base64_encode(sha1(rand())), 0, 30);
$config['secure_trip_salt'] = substr(base64_encode(sha1(rand())), 0, 30); $config['secure_trip_salt'] = substr(base64_encode(sha1(rand())), 0, 30);
$config['secure_password_salt'] = substr(base64_encode(sha1(rand())), 0, 30);
echo Element('page.html', array( echo Element('page.html', array(
'body' => Element('installer/config.html', array( 'body' => Element('installer/config.html', array(

14
post.php
View file

@ -530,10 +530,12 @@ function handle_delete(Context $ctx)
$password = &$_POST['password']; $password = &$_POST['password'];
if ($password == '') { if (empty($password)) {
error($config['error']['invalidpassword']); error($config['error']['invalidpassword']);
} }
$password = hashPassword($_POST['password']);
$delete = []; $delete = [];
foreach ($_POST as $post => $value) { foreach ($_POST as $post => $value) {
if (preg_match('/^delete_(\d+)$/', $post, $m)) { if (preg_match('/^delete_(\d+)$/', $post, $m)) {
@ -1009,11 +1011,16 @@ function handle_post(Context $ctx)
} }
} }
// We must do this check now before the passowrd is hashed and overwritten.
if (\mb_strlen($_POST['password']) > 20) {
error(\sprintf($config['error']['toolong'], 'password'));
}
$post['name'] = $_POST['name'] != '' ? $_POST['name'] : $config['anonymous']; $post['name'] = $_POST['name'] != '' ? $_POST['name'] : $config['anonymous'];
$post['subject'] = $_POST['subject']; $post['subject'] = $_POST['subject'];
$post['email'] = str_replace(' ', '%20', htmlspecialchars($_POST['email'])); $post['email'] = str_replace(' ', '%20', htmlspecialchars($_POST['email']));
$post['body'] = $_POST['body']; $post['body'] = $_POST['body'];
$post['password'] = $_POST['password']; $post['password'] = hashPassword($_POST['password']);
$post['has_file'] = (!isset($post['embed']) && (($post['op'] && !isset($post['no_longer_require_an_image_for_op']) && $config['force_image_op']) || count($_FILES) > 0)); $post['has_file'] = (!isset($post['embed']) && (($post['op'] && !isset($post['no_longer_require_an_image_for_op']) && $config['force_image_op']) || count($_FILES) > 0));
if (!$dropped_post) { if (!$dropped_post) {
@ -1204,9 +1211,6 @@ function handle_post(Context $ctx)
error($config['error']['toolong_body']); error($config['error']['toolong_body']);
} }
} }
if (mb_strlen($post['password']) > 20) {
error(sprintf($config['error']['toolong'], 'password'));
}
} }
wordfilters($post['body']); wordfilters($post['body']);

3
templates/installer/config.html
View file

@ -88,6 +88,9 @@
<label for="secure_trip_salt">Secure trip (##) salt:</label> <label for="secure_trip_salt">Secure trip (##) salt:</label>
<input type="text" id="secure_trip_salt" name="secure_trip_salt" value="{{ config.secure_trip_salt }}" size="40"> <input type="text" id="secure_trip_salt" name="secure_trip_salt" value="{{ config.secure_trip_salt }}" size="40">
<label for="secure_password_salt">Poster password salt:</label>
<input type="text" id="secure_password_salt" name="secure_password_salt" value="{{ config.secure_password_salt }}" size="40">
<label for="more">Additional configuration:</label> <label for="more">Additional configuration:</label>
<textarea id="more" name="more">{{ more }}</textarea> <textarea id="more" name="more">{{ more }}</textarea>
</fieldset> </fieldset>

2
templates/posts.sql
View file

@ -13,7 +13,7 @@ CREATE TABLE IF NOT EXISTS ``posts_{{ board }}`` (
`files` text DEFAULT NULL, `files` text DEFAULT NULL,
`num_files` int(11) DEFAULT 0, `num_files` int(11) DEFAULT 0,
`filehash` text CHARACTER SET ascii, `filehash` text CHARACTER SET ascii,
`password` varchar(20) DEFAULT NULL, `password` varchar(64) DEFAULT NULL,
`ip` varchar(39) CHARACTER SET ascii NOT NULL, `ip` varchar(39) CHARACTER SET ascii NOT NULL,
`sticky` int(1) NOT NULL, `sticky` int(1) NOT NULL,
`locked` int(1) NOT NULL, `locked` int(1) NOT NULL,

16
tools/hash-passwords.php Normal file
View file

@ -0,0 +1,16 @@
<?php
require_once dirname(__FILE__) . '/inc/cli.php';
foreach (listBoards(true) as $uri) {
query(\sprintf('ALTER TABLE ``posts_%s`` MODIFY `password` varchar(64) DEFAULT NULL;', $uri)) or error(db_error());
$query = prepare(\sprintf("SELECT DISTINCT `password` FROM ``posts_%s``", $uri));
$query->execute() or error(db_error($query));
while($entry = $query->fetch(\PDO::FETCH_ASSOC)) {
$update_query = prepare(\sprintf("UPDATE ``posts_%s`` SET `password` = :password WHERE `password` = :password_org", $uri));
$update_query->bindValue(':password', hashPassword($entry['password']));
$update_query->bindValue(':password_org', $entry['password']);
$update_query->execute() or error(db_error());
}
}