ease the migration process for the previous security patch (by introducing another migration); restore php 5.4 compatibility (introducing a polyfill system)
This commit is contained in:
parent
2caad90755
commit
7c3126866c
@ -18,6 +18,8 @@ require_once 'inc/template.php';
|
||||
require_once 'inc/database.php';
|
||||
require_once 'inc/events.php';
|
||||
require_once 'inc/api.php';
|
||||
require_once 'inc/polyfill.php';
|
||||
|
||||
if (!extension_loaded('gettext')) {
|
||||
require_once 'inc/lib/gettext/gettext.inc';
|
||||
}
|
||||
|
@ -76,20 +76,20 @@ function generate_salt() {
|
||||
function login($username, $password) {
|
||||
global $mod, $config;
|
||||
|
||||
$query = prepare("SELECT `id`, `type`, `boards`, `password`, `salt` FROM ``mods`` WHERE `username` = :username");
|
||||
$query = prepare("SELECT `id`, `type`, `boards`, `password`, `version` FROM ``mods`` WHERE `username` = :username");
|
||||
$query->bindValue(':username', $username);
|
||||
$query->execute() or error(db_error($query));
|
||||
|
||||
if ($user = $query->fetch(PDO::FETCH_ASSOC)) {
|
||||
list($version, $ok) = test_password($user['password'], $user['salt'], $password);
|
||||
list($version, $ok) = test_password($user['password'], $user['version'], $password);
|
||||
|
||||
if ($ok) {
|
||||
if ($config['password_crypt_version'] > $version) {
|
||||
// It's time to upgrade the password hashing method!
|
||||
list ($user['salt'], $user['password']) = crypt_password($password);
|
||||
$query = prepare("UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id");
|
||||
list ($user['version'], $user['password']) = crypt_password($password);
|
||||
$query = prepare("UPDATE ``mods`` SET `password` = :password, `version` = :version WHERE `id` = :id");
|
||||
$query->bindValue(':password', $user['password']);
|
||||
$query->bindValue(':salt', $user['salt']);
|
||||
$query->bindValue(':version', $user['version']);
|
||||
$query->bindValue(':id', $user['id']);
|
||||
$query->execute() or error(db_error($query));
|
||||
}
|
||||
|
@ -1734,12 +1734,12 @@ function mod_user($uid) {
|
||||
}
|
||||
|
||||
if ($_POST['password'] != '') {
|
||||
list($salt, $password) = crypt_password($_POST['password']);
|
||||
list($version, $password) = crypt_password($_POST['password']);
|
||||
|
||||
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
|
||||
$query = prepare('UPDATE ``mods`` SET `password` = :password, `version` = :version WHERE `id` = :id');
|
||||
$query->bindValue(':id', $uid);
|
||||
$query->bindValue(':password', $password);
|
||||
$query->bindValue(':salt', $salt);
|
||||
$query->bindValue(':version', $version);
|
||||
$query->execute() or error(db_error($query));
|
||||
|
||||
modLog('Changed password for ' . utf8tohtml($_POST['username']) . ' <small>(#' . $user['id'] . ')</small>');
|
||||
@ -1760,12 +1760,12 @@ function mod_user($uid) {
|
||||
|
||||
if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) {
|
||||
if ($_POST['password'] != '') {
|
||||
list($salt, $password) = crypt_password($_POST['password']);
|
||||
list($version, $password) = crypt_password($_POST['password']);
|
||||
|
||||
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
|
||||
$query = prepare('UPDATE ``mods`` SET `password` = :password, `version` = :version WHERE `id` = :id');
|
||||
$query->bindValue(':id', $uid);
|
||||
$query->bindValue(':password', $password);
|
||||
$query->bindValue(':salt', $salt);
|
||||
$query->bindValue(':version', $version);
|
||||
$query->execute() or error(db_error($query));
|
||||
|
||||
modLog('Changed own password');
|
||||
@ -1832,12 +1832,12 @@ function mod_user_new() {
|
||||
if (!isset($config['mod']['groups'][$type]) || $type == DISABLED)
|
||||
error(sprintf($config['error']['invalidfield'], 'type'));
|
||||
|
||||
list($salt, $password) = crypt_password($_POST['password']);
|
||||
list($version, $password) = crypt_password($_POST['password']);
|
||||
|
||||
$query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :salt, :type, :boards)');
|
||||
$query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :version, :type, :boards)');
|
||||
$query->bindValue(':username', $_POST['username']);
|
||||
$query->bindValue(':password', $password);
|
||||
$query->bindValue(':salt', $salt);
|
||||
$query->bindValue(':version', $version);
|
||||
$query->bindValue(':type', $type);
|
||||
$query->bindValue(':boards', implode(',', $boards));
|
||||
$query->execute() or error(db_error($query));
|
||||
|
28
inc/polyfill.php
Normal file
28
inc/polyfill.php
Normal file
@ -0,0 +1,28 @@
|
||||
<?php
|
||||
|
||||
// PHP 5.4
|
||||
|
||||
if (!function_exists('hex2bin')) {
|
||||
function hex2bin($data) {
|
||||
return pack("H*" , $hex_string);
|
||||
}
|
||||
}
|
||||
|
||||
// PHP 5.6
|
||||
|
||||
if (!function_exists('hash_equals')) {
|
||||
function hash_equals($ours, $theirs) {
|
||||
$ours = (string)$ours;
|
||||
$theirs = (string)$theirs;
|
||||
|
||||
$tlen = strlen($theirs);
|
||||
$olen = strlen($ours);
|
||||
|
||||
$answer = 0;
|
||||
for ($i = 0; $i < $tlen; $i++) {
|
||||
$answer |= ord($ours[$olen > $i ? $i : 0]) ^ ord($theirs[$i]);
|
||||
}
|
||||
|
||||
return $answer === 0 && $olen === $tlen;
|
||||
}
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
<?php
|
||||
|
||||
// Installation/upgrade file
|
||||
define('VERSION', '5.0.0');
|
||||
define('VERSION', '5.0.1');
|
||||
|
||||
require 'inc/functions.php';
|
||||
|
||||
@ -556,6 +556,8 @@ if (file_exists($config['has_installed'])) {
|
||||
case '4.9.93':
|
||||
query('ALTER TABLE ``mods`` CHANGE `password` `password` VARCHAR(255) NOT NULL;') or error(db_error());
|
||||
query('ALTER TABLE ``mods`` CHANGE `salt` `salt` VARCHAR(64) NOT NULL;') or error(db_error());
|
||||
case '5.0.0':
|
||||
query('ALTER TABLE ``mods`` CHANGE `salt` `version` VARCHAR(64) NOT NULL;') or error(db_error());
|
||||
case false:
|
||||
// TODO: enhance Tinyboard -> vichan upgrade path.
|
||||
query("CREATE TABLE IF NOT EXISTS ``search_queries`` ( `ip` varchar(39) NOT NULL, `time` int(11) NOT NULL, `query` text NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;") or error(db_error());
|
||||
|
@ -132,7 +132,7 @@ CREATE TABLE IF NOT EXISTS `mods` (
|
||||
`id` smallint(6) unsigned NOT NULL AUTO_INCREMENT,
|
||||
`username` varchar(30) NOT NULL,
|
||||
`password` varchar(256) CHARACTER SET ascii NOT NULL COMMENT 'SHA256',
|
||||
`salt` varchar(64) CHARACTER SET ascii NOT NULL,
|
||||
`version` varchar(64) CHARACTER SET ascii NOT NULL,
|
||||
`type` smallint(2) NOT NULL,
|
||||
`boards` text CHARACTER SET utf8 NOT NULL,
|
||||
PRIMARY KEY (`id`),
|
||||
|
Loading…
Reference in New Issue
Block a user