crypt() does not seem to like some special-characters in its salts, so we skip'em whenever we are generating a password as a salt-value, thx to Tobse101 for a nice debugging session ;)

Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
2015-10-02 17:09:41 +02:00
parent 94b43021ff
commit be5a13fbb1
2 changed files with 17 additions and 14 deletions
--- a/lib/functions/froxlor/function.generatePassword.php
+++ b/lib/functions/froxlor/function.generatePassword.php
@@ -17,39 +17,42 @@
 /**
 * Generates a random password
 *
 * @param boolean $isSalt
 *            optional, create a hash for a salt used in makeCryptPassword because crypt() does not like some special characters in its salts, default is false
 */
-function generatePassword()
+function generatePassword($isSalt = false)
 {
    $alpha_lower = 'abcdefghijklmnopqrstuvwxyz';
    $alpha_upper = strtoupper($alpha_lower);
    $numeric = '0123456789';
    $special = Settings::Get('panel.password_special_char');
    $length = Settings::Get('panel.password_min_length') > 3 ? Settings::Get('panel.password_min_length') : 10;
-
+    
    $pw = special_shuffle($alpha_lower);
    $n = floor(($length) / 4);
-
+    
    if (Settings::Get('panel.password_alpha_upper')) {
        $pw .= mb_substr(special_shuffle($alpha_upper), 0, $n);
    }
-
+    
    if (Settings::Get('panel.password_numeric')) {
        $pw .= mb_substr(special_shuffle($numeric), 0, $n);
    }
-
+    
-    if (Settings::Get('panel.password_special_char_required')) {
+    if (Settings::Get('panel.password_special_char_required') && !$isSalt) {
        $pw .= mb_substr(special_shuffle($special), 0, $n);
    }
-
+    
    $pw = mb_substr($pw, - $length);
-
+    
    return special_shuffle($pw);
 }
 /**
 * multibyte-character safe shuffle function
 *
- * @param string $str
+ * @param string $str            
 *
 * @return string
 */
--- a/lib/functions/system/function.makeCryptPassword.php
+++ b/lib/functions/system/function.makeCryptPassword.php
@@ -43,25 +43,25 @@ function makeCryptPassword ($password) {
 			$cryptPassword = crypt($password);
 			break;
 		case 1:
-			$cryptPassword = crypt($password, '$1$' . generatePassword().  generatePassword());
+			$cryptPassword = crypt($password, '$1$' . generatePassword(true).  generatePassword(true));
 			break;
 		case 2:
 			if (version_compare(phpversion(), '5.3.7', '<')) {
-				$cryptPassword = crypt($password, '$2a$' . generatePassword().  generatePassword());
+				$cryptPassword = crypt($password, '$2a$' . generatePassword(true).  generatePassword(true));
 			} else {
 				// Blowfish hashing with a salt as follows: "$2a$", "$2x$" or "$2y$",
 				// a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z"
 				$cryptPassword = crypt(
 					$password,
-					'$2y$07$' . substr(generatePassword().generatePassword().generatePassword(), 0, 22)
+					'$2y$07$' . substr(generatePassword(true).generatePassword(true).generatePassword(true), 0, 22)
 				);
 			}
 			break;
 		case 3:
-			$cryptPassword = crypt($password, '$5$' . generatePassword().  generatePassword());
+			$cryptPassword = crypt($password, '$5$' . generatePassword(true).  generatePassword(true));
 			break;
 		case 4:
-			$cryptPassword = crypt($password, '$6$' . generatePassword().  generatePassword());
+			$cryptPassword = crypt($password, '$6$' . generatePassword(true).  generatePassword(true));
 			break;
 		default:
 			$cryptPassword = crypt($password);