ソースを参照
ease the migration process for the previous security patch (by introducing another migration); restore php 5.4 compatibility (introducing a polyfill system)
pull/47/head^2
czaks
8年前
6個のファイルの変更、48行の追加、16行の削除
分割表示
差分オプション
-
+2 -0inc/functions.php
-
+5 -5inc/mod/auth.php
-
+9 -9inc/mod/pages.php
-
+28 -0inc/polyfill.php
-
+3 -1install.php
-
+1 -1install.sql
+ 2
- 0
inc/functions.php
ファイルの表示
| @@ -18,6 +18,8 @@ require_once 'inc/template.php'; | |||
| require_once 'inc/database.php'; | |||
| require_once 'inc/events.php'; | |||
| require_once 'inc/api.php'; | |||
| require_once 'inc/polyfill.php'; | |||
| if (!extension_loaded('gettext')) { | |||
| require_once 'inc/lib/gettext/gettext.inc'; | |||
| } | |||
+ 5
- 5
inc/mod/auth.php
ファイルの表示
| @@ -76,20 +76,20 @@ function generate_salt() { | |||
| function login($username, $password) { | |||
| global $mod, $config; | |||
| $query = prepare("SELECT `id`, `type`, `boards`, `password`, `salt` FROM ``mods`` WHERE `username` = :username"); | |||
| $query = prepare("SELECT `id`, `type`, `boards`, `password`, `version` FROM ``mods`` WHERE `username` = :username"); | |||
| $query->bindValue(':username', $username); | |||
| $query->execute() or error(db_error($query)); | |||
| if ($user = $query->fetch(PDO::FETCH_ASSOC)) { | |||
| list($version, $ok) = test_password($user['password'], $user['salt'], $password); | |||
| list($version, $ok) = test_password($user['password'], $user['version'], $password); | |||
| if ($ok) { | |||
| if ($config['password_crypt_version'] > $version) { | |||
| // It's time to upgrade the password hashing method! | |||
| list ($user['salt'], $user['password']) = crypt_password($password); | |||
| $query = prepare("UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id"); | |||
| list ($user['version'], $user['password']) = crypt_password($password); | |||
| $query = prepare("UPDATE ``mods`` SET `password` = :password, `version` = :version WHERE `id` = :id"); | |||
| $query->bindValue(':password', $user['password']); | |||
| $query->bindValue(':salt', $user['salt']); | |||
| $query->bindValue(':version', $user['version']); | |||
| $query->bindValue(':id', $user['id']); | |||
| $query->execute() or error(db_error($query)); | |||
| } | |||
+ 9
- 9
inc/mod/pages.php
ファイルの表示
| @@ -1734,12 +1734,12 @@ function mod_user($uid) { | |||
| } | |||
| if ($_POST['password'] != '') { | |||
| list($salt, $password) = crypt_password($_POST['password']); | |||
| list($version, $password) = crypt_password($_POST['password']); | |||
| $query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id'); | |||
| $query = prepare('UPDATE ``mods`` SET `password` = :password, `version` = :version WHERE `id` = :id'); | |||
| $query->bindValue(':id', $uid); | |||
| $query->bindValue(':password', $password); | |||
| $query->bindValue(':salt', $salt); | |||
| $query->bindValue(':version', $version); | |||
| $query->execute() or error(db_error($query)); | |||
| modLog('Changed password for ' . utf8tohtml($_POST['username']) . ' <small>(#' . $user['id'] . ')</small>'); | |||
| @@ -1760,12 +1760,12 @@ function mod_user($uid) { | |||
| if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) { | |||
| if ($_POST['password'] != '') { | |||
| list($salt, $password) = crypt_password($_POST['password']); | |||
| list($version, $password) = crypt_password($_POST['password']); | |||
| $query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id'); | |||
| $query = prepare('UPDATE ``mods`` SET `password` = :password, `version` = :version WHERE `id` = :id'); | |||
| $query->bindValue(':id', $uid); | |||
| $query->bindValue(':password', $password); | |||
| $query->bindValue(':salt', $salt); | |||
| $query->bindValue(':version', $version); | |||
| $query->execute() or error(db_error($query)); | |||
| modLog('Changed own password'); | |||
| @@ -1832,12 +1832,12 @@ function mod_user_new() { | |||
| if (!isset($config['mod']['groups'][$type]) || $type == DISABLED) | |||
| error(sprintf($config['error']['invalidfield'], 'type')); | |||
| list($salt, $password) = crypt_password($_POST['password']); | |||
| list($version, $password) = crypt_password($_POST['password']); | |||
| $query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :salt, :type, :boards)'); | |||
| $query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :version, :type, :boards)'); | |||
| $query->bindValue(':username', $_POST['username']); | |||
| $query->bindValue(':password', $password); | |||
| $query->bindValue(':salt', $salt); | |||
| $query->bindValue(':version', $version); | |||
| $query->bindValue(':type', $type); | |||
| $query->bindValue(':boards', implode(',', $boards)); | |||
| $query->execute() or error(db_error($query)); | |||
+ 28
- 0
inc/polyfill.php
ファイルの表示
| @@ -0,0 +1,28 @@ | |||
| <?php | |||
| // PHP 5.4 | |||
| if (!function_exists('hex2bin')) { | |||
| function hex2bin($data) { | |||
| return pack("H*" , $hex_string); | |||
| } | |||
| } | |||
| // PHP 5.6 | |||
| if (!function_exists('hash_equals')) { | |||
| function hash_equals($ours, $theirs) { | |||
| $ours = (string)$ours; | |||
| $theirs = (string)$theirs; | |||
| $tlen = strlen($theirs); | |||
| $olen = strlen($ours); | |||
| $answer = 0; | |||
| for ($i = 0; $i < $tlen; $i++) { | |||
| $answer |= ord($ours[$olen > $i ? $i : 0]) ^ ord($theirs[$i]); | |||
| } | |||
| return $answer === 0 && $olen === $tlen; | |||
| } | |||
| } | |||
+ 3
- 1
install.php
ファイルの表示
| @@ -1,7 +1,7 @@ | |||
| <?php | |||
| // Installation/upgrade file | |||
| define('VERSION', '5.0.0'); | |||
| define('VERSION', '5.0.1'); | |||
| require 'inc/functions.php'; | |||
| @@ -556,6 +556,8 @@ if (file_exists($config['has_installed'])) { | |||
| case '4.9.93': | |||
| query('ALTER TABLE ``mods`` CHANGE `password` `password` VARCHAR(255) NOT NULL;') or error(db_error()); | |||
| query('ALTER TABLE ``mods`` CHANGE `salt` `salt` VARCHAR(64) NOT NULL;') or error(db_error()); | |||
| case '5.0.0': | |||
| query('ALTER TABLE ``mods`` CHANGE `salt` `version` VARCHAR(64) NOT NULL;') or error(db_error()); | |||
| case false: | |||
| // TODO: enhance Tinyboard -> vichan upgrade path. | |||
| query("CREATE TABLE IF NOT EXISTS ``search_queries`` ( `ip` varchar(39) NOT NULL, `time` int(11) NOT NULL, `query` text NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;") or error(db_error()); | |||
+ 1
- 1
install.sql
ファイルの表示
| @@ -132,7 +132,7 @@ CREATE TABLE IF NOT EXISTS `mods` ( | |||
| `id` smallint(6) unsigned NOT NULL AUTO_INCREMENT, | |||
| `username` varchar(30) NOT NULL, | |||
| `password` varchar(256) CHARACTER SET ascii NOT NULL COMMENT 'SHA256', | |||
| `salt` varchar(64) CHARACTER SET ascii NOT NULL, | |||
| `version` varchar(64) CHARACTER SET ascii NOT NULL, | |||
| `type` smallint(2) NOT NULL, | |||
| `boards` text CHARACTER SET utf8 NOT NULL, | |||
| PRIMARY KEY (`id`), | |||