maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

let admin chose what password-hash-algorithm is to be used to crypt() passwords; fixes #852

Browse Source 
Signed-off-by: Michael Kaufmann (d00p) <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann (d00p)
2013-04-14 18:41:21 +02:00
parent 271e4a660b
commit fb045c3fe1
10 changed files with 52 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
actions/admin/settings/210.security.php
View File

@@ -38,9 +38,17 @@ return array(
'default' => true,
'save_method' => 'storeSettingField',
),
),
),
),
'system_passwordcryptfunc' => array(
'label' => $lng['serversettings']['passwordcryptfunc'],
'settinggroup' => 'system',
'varname' => 'passwordcryptfunc',
'type' => 'option',
'default' => 0,
'option_mode' => 'one',
'option_options' => array(0 => $lng['serversettings']['systemdefault'], 1 => 'MD5', 2 => 'BLOWFISH', 3 => 'SHA-256', 4 => 'SHA-512'),
'save_method' => 'storeSettingField',
)
)
)
)
);
?>

2
admin_customers.php
View File

@@ -789,7 +789,7 @@ if($page == 'customers'
}
inserttask('1');
$cryptPassword = makeCryptPassword($password ,1);
$cryptPassword = makeCryptPassword($password);
$result = $db->query("INSERT INTO `" . TABLE_FTP_USERS . "` " . "(`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) " . "VALUES ('" . (int)$customerid . "', '" . $db->escape($loginname) . "', '" . $db->escape($cryptPassword) . "', '" . $db->escape($documentroot) . "', 'y', '" . (int)$guid . "', '" . (int)$guid . "')");
$result = $db->query("INSERT INTO `" . TABLE_FTP_GROUPS . "` " . "(`customerid`, `groupname`, `gid`, `members`) " . "VALUES ('" . (int)$customerid . "', '" . $db->escape($loginname) . "', '" . $db->escape($guid) . "', '" . $db->escape($loginname) . "')");
$result = $db->query("INSERT INTO `" . TABLE_FTP_QUOTATALLIES . "` (`name`, `quota_type`, `bytes_in_used`, `bytes_out_used`, `bytes_xfer_used`, `files_in_used`, `files_out_used`, `files_xfer_used`) VALUES ('" . $db->escape($loginname) . "', 'user', '0', '0', '0', '0', '0', '0')");

4
customer_email.php
View File

@@ -458,7 +458,7 @@ elseif($page == 'accounts')
$password = substr(md5(uniqid(microtime(), 1)), 12, 6);
}
$cryptPassword = makeCryptPassword($password, 1);
$cryptPassword = makeCryptPassword($password);
$email_user=substr($email_full,0,strrpos($email_full,"@"));
$email_domain=substr($email_full,strrpos($email_full,"@")+1);
@@ -607,7 +607,7 @@ elseif($page == 'accounts')
$password = validatePassword($password);
$log->logAction(USR_ACTION, LOG_NOTICE, "changed email password for '" . $result['email_full'] . "'");
$cryptPassword = makeCryptPassword($password,1);
$cryptPassword = makeCryptPassword($password);
$result = $db->query("UPDATE `" . TABLE_MAIL_USERS . "` SET " . ($settings['system']['mailpwcleartext'] == '1' ? "`password` = '" . $db->escape($password) . "', " : '') . " `password_enc`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$result['popaccountid'] . "'");
redirectTo($filename, Array('page' => 'emails', 'action' => 'edit', 'id' => $id, 's' => $s));
}

4
customer_ftp.php
View File

@@ -188,7 +188,7 @@ elseif($page == 'accounts')
{
$path = makeCorrectDir($userinfo['documentroot'] . '/' . $path);
$cryptPassword = makeCryptPassword($password, 1);
$cryptPassword = makeCryptPassword($password);
$db->query("INSERT INTO `" . TABLE_FTP_USERS . "` (`customerid`, `username`, `password`, `homedir`, `login_enabled`, `uid`, `gid`) VALUES ('" . (int)$userinfo['customerid'] . "', '" . $db->escape($username) . "', '" . $db->escape($cryptPassword) . "', '" . $db->escape($path) . "', 'y', '" . (int)$userinfo['guid'] . "', '" . (int)$userinfo['guid'] . "')");
$result = $db->query("SELECT `bytes_in_used` FROM `" . TABLE_FTP_QUOTATALLIES . "` WHERE `name` = '" . $userinfo['loginname'] . "'");
while($row = $db->fetch_array($result))
@@ -312,7 +312,7 @@ elseif($page == 'accounts')
else
{
$log->logAction(USR_ACTION, LOG_INFO, "updated ftp-account password for '" . $result['username'] . "'");
$cryptPassword = makeCryptPassword($password, 1);
$cryptPassword = makeCryptPassword($password);
$db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `id`='" . (int)$id . "'");
// also update customers backup user password if password of main ftp user is changed

2
customer_index.php
View File

@@ -124,7 +124,7 @@ elseif($page == 'change_password')
if(isset($_POST['change_main_ftp'])
&& $_POST['change_main_ftp'] == 'true')
{
$cryptPassword = makeCryptPassword($new_password, 1);
$cryptPassword = makeCryptPassword($new_password);
$db->query("UPDATE `" . TABLE_FTP_USERS . "` SET `password`='" . $db->escape($cryptPassword) . "' WHERE `customerid`='" . (int)$userinfo['customerid'] . "' AND `username`='" . $db->escape($userinfo['loginname']) . "'");
$log->logAction(USR_ACTION, LOG_NOTICE, 'changed main ftp password');
}

1
install/froxlor.sql
View File

@@ -510,6 +510,7 @@ INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES
('system', 'phpreload_command', ''),
('system', 'apache24', '0'),
('system', 'documentroot_use_default_value', '0'),
('system', 'passwordcryptfunc', '1'),
('panel', 'decimal_places', '4'),
('panel', 'adminmail', 'admin@SERVERNAME'),
('panel', 'phpmyadmin_url', ''),

2
install/updates/froxlor/0.9/update_0.9.inc.php
View File

@@ -2062,5 +2062,7 @@ if(isFroxlorVersion('0.9.28.1')) {
$db->query("INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES ('panel', 'phpconfigs_hidestdsubdomain', '".$hide_stdsubdomains."');");
lastStepStatus(0);
// don't advertise security questions - just set a default silently
$db->query("INSERT INTO `panel_settings` (`settinggroup`, `varname`, `value`) VALUES ('system', 'passwordcryptfunc', '1');");
updateToVersion('0.9.29-dev1');
}

15
lib/functions/system/function.makeCryptPassword.php
View File

@@ -18,7 +18,6 @@
/**
* Make crypted password from clear text password
* @param string Password to be crypted
* @param int Type of algorithm
* @return string encrypted password
*
* @author Michal Wojcik <m.wojcik@sonet3.pl>
@@ -30,10 +29,13 @@
* 4 - SHA-512 $6$
*/
function makeCryptPassword ($password, $type = 0)
{
switch($type)
{
function makeCryptPassword ($password) {
global $settings;
$type = isset($settings['system']['passwordcryptfunc']) ? (int)$settings['system']['passwordcryptfunc'] : 1;
switch ($type) {
case 0:
$cryptPassword = crypt($password);
break;
@@ -53,6 +55,5 @@ function makeCryptPassword ($password, $type = 0)
$cryptPassword = crypt($password);
break;
}
return ($cryptPassword);
return $cryptPassword;
}

2
lng/english.lng.php
View File

@@ -1936,3 +1936,5 @@ $lng['admin']['domain_editable']['desc'] = 'If set to yes, the customer is allow
// Added in Froxlor 0.9.29-dev1
$lng['serversettings']['panel_phpconfigs_hidestdsubdomain']['title'] = 'Hide standard-subdomains in PHP-configuration overview';
$lng['serversettings']['panel_phpconfigs_hidestdsubdomain']['description'] = 'If activated the standard-subdomains for customers will not be displayed in the php-configurations overview<br /><br />Note: This is only visible if you have enabled FCGID or PHP-FPM';
$lng['serversettings']['passwordcryptfunc']['title'] = 'Chose which password-crypt method is to be used';
$lng['serversettings']['systemdefault'] = 'System default';

2
lng/german.lng.php
View File

@@ -1657,3 +1657,5 @@ $lng['admin']['domain_editable']['desc'] = 'Wenn ja, darf der Kunde verschiedene
// Added in Froxlor 0.9.29-dev1
$lng['serversettings']['panel_phpconfigs_hidestdsubdomain']['title'] = 'Verstecke Standard-Subdomains in PHP-Konfigurations-Übersicht';
$lng['serversettings']['panel_phpconfigs_hidestdsubdomain']['description'] = 'Wenn aktiviert, werden die Standard-Subdomains der Kunden nicht mehr in der PHP-Konfigurations-Übersicht angezeigt.<br /><br />Hinweis: Nur relevant, wenn FCGID oder PHP-FPM aktiviert ist.';
$lng['serversettings']['passwordcryptfunc']['title'] = 'Wähle zu verwendende Passwort-Verschlüsselungsmethode';
$lng['serversettings']['systemdefault'] = 'Systemstandard';