From be5a13fbb19c7929ea006cd2e2392f5548ca1bfc Mon Sep 17 00:00:00 2001 From: "Michael Kaufmann (d00p)" Date: Fri, 2 Oct 2015 17:09:41 +0200 Subject: [PATCH] crypt() does not seem to like some special-characters in its salts, so we skip'em whenever we are generating a password as a salt-value, thx to Tobse101 for a nice debugging session ;) Signed-off-by: Michael Kaufmann (d00p) --- .../froxlor/function.generatePassword.php | 21 +++++++++++-------- .../system/function.makeCryptPassword.php | 10 ++++----- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/lib/functions/froxlor/function.generatePassword.php b/lib/functions/froxlor/function.generatePassword.php index 14ec5ffe..ff15dca1 100644 --- a/lib/functions/froxlor/function.generatePassword.php +++ b/lib/functions/froxlor/function.generatePassword.php @@ -17,39 +17,42 @@ /** * Generates a random password + * + * @param boolean $isSalt + * optional, create a hash for a salt used in makeCryptPassword because crypt() does not like some special characters in its salts, default is false */ -function generatePassword() +function generatePassword($isSalt = false) { $alpha_lower = 'abcdefghijklmnopqrstuvwxyz'; $alpha_upper = strtoupper($alpha_lower); $numeric = '0123456789'; $special = Settings::Get('panel.password_special_char'); $length = Settings::Get('panel.password_min_length') > 3 ? Settings::Get('panel.password_min_length') : 10; - + $pw = special_shuffle($alpha_lower); $n = floor(($length) / 4); - + if (Settings::Get('panel.password_alpha_upper')) { $pw .= mb_substr(special_shuffle($alpha_upper), 0, $n); } - + if (Settings::Get('panel.password_numeric')) { $pw .= mb_substr(special_shuffle($numeric), 0, $n); } - - if (Settings::Get('panel.password_special_char_required')) { + + if (Settings::Get('panel.password_special_char_required') && !$isSalt) { $pw .= mb_substr(special_shuffle($special), 0, $n); } - + $pw = mb_substr($pw, - $length); - + return special_shuffle($pw); } /** * multibyte-character safe shuffle function * - * @param string $str + * @param string $str * * @return string */ diff --git a/lib/functions/system/function.makeCryptPassword.php b/lib/functions/system/function.makeCryptPassword.php index 730af6af..7e8cd640 100644 --- a/lib/functions/system/function.makeCryptPassword.php +++ b/lib/functions/system/function.makeCryptPassword.php @@ -43,25 +43,25 @@ function makeCryptPassword ($password) { $cryptPassword = crypt($password); break; case 1: - $cryptPassword = crypt($password, '$1$' . generatePassword(). generatePassword()); + $cryptPassword = crypt($password, '$1$' . generatePassword(true). generatePassword(true)); break; case 2: if (version_compare(phpversion(), '5.3.7', '<')) { - $cryptPassword = crypt($password, '$2a$' . generatePassword(). generatePassword()); + $cryptPassword = crypt($password, '$2a$' . generatePassword(true). generatePassword(true)); } else { // Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$", // a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z" $cryptPassword = crypt( $password, - '$2y$07$' . substr(generatePassword().generatePassword().generatePassword(), 0, 22) + '$2y$07$' . substr(generatePassword(true).generatePassword(true).generatePassword(true), 0, 22) ); } break; case 3: - $cryptPassword = crypt($password, '$5$' . generatePassword(). generatePassword()); + $cryptPassword = crypt($password, '$5$' . generatePassword(true). generatePassword(true)); break; case 4: - $cryptPassword = crypt($password, '$6$' . generatePassword(). generatePassword()); + $cryptPassword = crypt($password, '$6$' . generatePassword(true). generatePassword(true)); break; default: $cryptPassword = crypt($password);