Skip to content

Commit

Permalink
Merge pull request #250 from dmjohnsson23/master
Browse files Browse the repository at this point in the history 
Upgrade password hashing function for better security
  • Loading branch information
@craigk5n
craigk5n authored Feb 15, 2022
2 parents 4c48f8e + 07cb27f commit 69d22af
Show file tree
Hide file tree
Showing 17 changed files with 41 additions and 16 deletions.
28 changes: 23 additions & 5 deletions includes/user.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,14 +41,32 @@ function user_valid_login ( $login, $password, $silent=false ) {
global $error;
$ret = $enabled = false;

$sql = 'SELECT cal_login, cal_enabled FROM webcal_user WHERE cal_login = ? AND cal_passwd = ?';
$res = dbi_execute ( $sql, [$login, md5 ( $password )] );
$sql = 'SELECT cal_login, cal_enabled, cal_passwd FROM webcal_user WHERE cal_login = ?';
$res = dbi_execute ( $sql, [$login] );
if ( $res ) {
$row = dbi_fetch_row ( $res );
if ( $row && $row[0] != '' ) {
// Check the password
$expected_hash = $row[2];
if ( strlen ( $expected_hash ) == 32 && ctype_xdigit ( $expected_hash ) ) {
// Old-Style MD5 password
$supplied_hash = md5 ( $password );
$okay = hash_equals ( $supplied_hash, $expected_hash );
$rehash = true;
} else {
// New-Style Secure Password
$okay = password_verify ( $password, $expected_hash );
$rehash = password_needs_rehash ( $expected_hash, PASSWORD_DEFAULT );
}
// Upgrade insecurely stored passwords
if ( $okay && $rehash ){
$new_hash = password_hash ( $password, PASSWORD_DEFAULT );
$sql = 'UPDATE webcal_user SET cal_passwd = ? WHERE cal_login = ?';
dbi_execute ( $sql, [$new_hash, $login] );
}
$enabled = ( $row[1] == 'Y' ? true : false );
// MySQL seems to do case insensitive matching, so double-check the login.
if ( $row[0] == $login )
if ( $okay && $row[0] == $login )
$ret = true; // found login/password
else if ( ! $silent )
$error = translate ( 'Invalid login', true ) . ': ' .
Expand Down Expand Up @@ -221,7 +239,7 @@ function user_add_user ( $user, $password, $firstname,
else
$ulastname = NULL;
if ( strlen ( $password ) )
$upassword = md5 ( $password );
$upassword = password_hash ( $password, PASSWORD_DEFAULT );
else
$upassword = NULL;
if ( $admin != 'Y' )
Expand Down Expand Up @@ -302,7 +320,7 @@ function user_update_user_password ( $user, $password ) {
global $error;

$sql = 'UPDATE webcal_user SET cal_passwd = ? WHERE cal_login = ?';
if ( ! dbi_execute ( $sql, [md5 ( $password ), $user] ) ) {
if ( ! dbi_execute ( $sql, [password_hash ( $password , PASSWORD_DEFAULT ), $user] ) ) {
$error = db_error();
return false;
}
Expand Down
4 changes: 2 additions & 2 deletions install/index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -367,14 +367,14 @@
db_populate( $install_filename, $display_sql );
}
if( empty( $display_sql ) ) {
// Convert passwords to md5 hashes if needed.
// Convert passwords to secure hashes if needed.
$res = dbi_execute( 'SELECT cal_login, cal_passwd FROM webcal_user',
array(), false, $show_all_errors );
if( $res ) {
while( $row = dbi_fetch_row( $res ) ) {
if( strlen( $row[1] ) < 30 )
dbi_execute( 'UPDATE webcal_user SET cal_passwd = ?
WHERE cal_login = ?', array( md5( $row[1] ), $row[0] ) );
WHERE cal_login = ?', array( password_hash( $row[1], PASSWORD_DEFAULT ), $row[0] ) );
}
dbi_free_result( $res );
}
Expand Down
2 changes: 1 addition & 1 deletion install/sql/tables-db2.sql
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
CREATE TABLE webcal_user (
cal_login VARCHAR(25) NOT NULL,
cal_passwd VARCHAR(32),
cal_passwd VARCHAR(255),
cal_lastname VARCHAR(25),
cal_firstname VARCHAR(25),
cal_is_admin CHAR(1) DEFAULT 'N',
Expand Down
2 changes: 1 addition & 1 deletion install/sql/tables-ibase.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ CREATE TABLE WEBCAL_ENTRY
CREATE TABLE WEBCAL_USER
(
CAL_LOGIN VARCHAR(25) CHARACTER SET WIN1252 NOT NULL,
CAL_PASSWD VARCHAR(32) CHARACTER SET WIN1252,
CAL_PASSWD VARCHAR(255) CHARACTER SET WIN1252,
CAL_LASTNAME VARCHAR(25) CHARACTER SET WIN1252,
CAL_FIRSTNAME VARCHAR(25) CHARACTER SET WIN1252,
CAL_IS_ADMIN CHAR(1) CHARACTER SET WIN1252 DEFAULT 'N',
Expand Down
2 changes: 1 addition & 1 deletion install/sql/tables-mssql.sql
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
CREATE TABLE webcal_user (
cal_login VARCHAR(25) NOT NULL,
cal_passwd VARCHAR(32) NULL,
cal_passwd VARCHAR(255) NULL,
cal_lastname VARCHAR(25) NULL,
cal_firstname VARCHAR(25) NULL,
cal_is_admin CHAR(1) DEFAULT 'N',
Expand Down
2 changes: 1 addition & 1 deletion install/sql/tables-mysql.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ CREATE TABLE webcal_user (
/* the unique user login */
cal_login VARCHAR(25) NOT NULL,
/* the user's password. (not used for http) */
cal_passwd VARCHAR(32),
cal_passwd VARCHAR(255),
/* user's last name */
cal_lastname VARCHAR(25),
/* user's first name */
Expand Down
2 changes: 1 addition & 1 deletion install/sql/tables-oracle.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ CREATE TABLE webcal_user (
cal_lastname VARCHAR2(25),
cal_is_admin CHAR(1) DEFAULT 'N',
cal_last_login INT NULL,
cal_passwd VARCHAR2(32),
cal_passwd VARCHAR2(255),
cal_telephone VARCHAR2(50) NULL,
cal_title VARCHAR2(75) NULL,
PRIMARY KEY ( cal_login )
Expand Down
2 changes: 1 addition & 1 deletion install/sql/tables-postgres.sql
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
CREATE TABLE webcal_user (
cal_login VARCHAR(25) NOT NULL,
cal_passwd VARCHAR(32),
cal_passwd VARCHAR(255),
cal_lastname VARCHAR(25),
cal_firstname VARCHAR(25),
cal_is_admin CHAR(1) DEFAULT 'N',
Expand Down
2 changes: 1 addition & 1 deletion install/sql/tables-sqlite.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
* This file will create an SQLite database.
*/
function populate_sqlite_db ( $database, $db ) {
sqlite_query($db, "CREATE TABLE webcal_user (cal_login VARCHAR(25) NOT NULL, cal_passwd VARCHAR(32), cal_lastname VARCHAR(25), cal_firstname VARCHAR(25), cal_is_admin CHAR(1) DEFAULT 'N',cal_email VARCHAR(75) NULL,cal_enabled CHAR(1) DEFAULT 'Y',cal_telephone VARCHAR(50) NULL,cal_address VARCHAR(75) NULL,cal_title VARCHAR(75) NULL,cal_birthday INT,cal_last_login INT, PRIMARY KEY ( cal_login ))");
sqlite_query($db, "CREATE TABLE webcal_user (cal_login VARCHAR(25) NOT NULL, cal_passwd VARCHAR(255), cal_lastname VARCHAR(25), cal_firstname VARCHAR(25), cal_is_admin CHAR(1) DEFAULT 'N',cal_email VARCHAR(75) NULL,cal_enabled CHAR(1) DEFAULT 'Y',cal_telephone VARCHAR(50) NULL,cal_address VARCHAR(75) NULL,cal_title VARCHAR(75) NULL,cal_birthday INT,cal_last_login INT, PRIMARY KEY ( cal_login ))");
sqlite_query($db, "INSERT INTO webcal_user ( cal_login, cal_passwd, cal_lastname, cal_firstname, cal_is_admin ) VALUES ( 'admin', '21232f297a57a5a743894a0e4a801fc3', 'Administrator', 'Default', 'Y' );");
sqlite_query($db, "CREATE TABLE webcal_entry ( cal_id INT NOT NULL, cal_group_id INT NULL, cal_ext_for_id INT NULL, cal_create_by VARCHAR(25) NOT NULL, cal_date INT NOT NULL, cal_time INT NULL, cal_mod_date INT, cal_mod_time INT, cal_duration INT NOT NULL, cal_due_date INT default NULL, cal_due_time INT default NULL, cal_location varchar(100) default NULL, cal_url varchar(100) default NULL, cal_completed INT default NULL, cal_priority INT DEFAULT 5, cal_type CHAR(1) DEFAULT 'E', cal_access CHAR(1) DEFAULT 'P', cal_name VARCHAR(80) NOT NULL, cal_description TEXT, PRIMARY KEY ( cal_id ))");
sqlite_query($db, "CREATE TABLE webcal_entry_repeats ( cal_id INT DEFAULT 0 NOT NULL, cal_type VARCHAR(20), cal_end INT, cal_frequency INT DEFAULT 1, cal_days CHAR(7), cal_endtime int(11) default NULL, cal_bymonth varchar(50) default NULL, cal_bymonthday varchar(100) default NULL, cal_byday varchar(100) default NULL, cal_bysetpos varchar(50) default NULL, cal_byweekno varchar(50) default NULL, cal_byyearday varchar(50) default NULL, cal_wkst char(2) default 'MO', cal_count int(11) default NULL, PRIMARY KEY (cal_id))");
Expand Down
2 changes: 1 addition & 1 deletion install/sql/tables-sqlite3.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
*/
function populate_sqlite_db ( $database, $db ) {
#$c = new SQLite3 ( $database, SQLITE3_OPEN_CREATE );
$db->query("CREATE TABLE webcal_user (cal_login VARCHAR(25) NOT NULL, cal_passwd VARCHAR(32), cal_lastname VARCHAR(25), cal_firstname VARCHAR(25), cal_is_admin CHAR(1) DEFAULT 'N',cal_email VARCHAR(75) NULL,cal_enabled CHAR(1) DEFAULT 'Y',cal_telephone VARCHAR(50) NULL,cal_address VARCHAR(75) NULL,cal_title VARCHAR(75) NULL,cal_birthday INT,cal_last_login INT, PRIMARY KEY ( cal_login ))");
$db->query("CREATE TABLE webcal_user (cal_login VARCHAR(25) NOT NULL, cal_passwd VARCHAR(255), cal_lastname VARCHAR(25), cal_firstname VARCHAR(25), cal_is_admin CHAR(1) DEFAULT 'N',cal_email VARCHAR(75) NULL,cal_enabled CHAR(1) DEFAULT 'Y',cal_telephone VARCHAR(50) NULL,cal_address VARCHAR(75) NULL,cal_title VARCHAR(75) NULL,cal_birthday INT,cal_last_login INT, PRIMARY KEY ( cal_login ))");
$db->query("INSERT INTO webcal_user ( cal_login, cal_passwd, cal_lastname, cal_firstname, cal_is_admin ) VALUES ( 'admin', '21232f297a57a5a743894a0e4a801fc3', 'Administrator', 'Default', 'Y' );");
$db->query("CREATE TABLE webcal_entry ( cal_id INT NOT NULL, cal_group_id INT NULL, cal_ext_for_id INT NULL, cal_create_by VARCHAR(25) NOT NULL, cal_date INT NOT NULL, cal_time INT NULL, cal_mod_date INT, cal_mod_time INT, cal_duration INT NOT NULL, cal_due_date INT default NULL, cal_due_time INT default NULL, cal_location varchar(100) default NULL, cal_url varchar(100) default NULL, cal_completed INT default NULL, cal_priority INT DEFAULT 5, cal_type CHAR(1) DEFAULT 'E', cal_access CHAR(1) DEFAULT 'P', cal_name VARCHAR(80) NOT NULL, cal_description TEXT, PRIMARY KEY ( cal_id ))");
$db->query("CREATE TABLE webcal_entry_repeats ( cal_id INT DEFAULT 0 NOT NULL, cal_type VARCHAR(20), cal_end INT, cal_frequency INT DEFAULT 1, cal_days CHAR(7), cal_endtime int(11) default NULL, cal_bymonth varchar(50) default NULL, cal_bymonthday varchar(100) default NULL, cal_byday varchar(100) default NULL, cal_bysetpos varchar(50) default NULL, cal_byweekno varchar(50) default NULL, cal_byyearday varchar(50) default NULL, cal_wkst char(2) default 'MO', cal_count int(11) default NULL, PRIMARY KEY (cal_id))");
Expand Down
1 change: 1 addition & 0 deletions install/sql/upgrade-db2.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,3 +288,4 @@ CREATE TABLE webcal_timezones (
);

/*upgrade_v1.3.0*/
ALTER TABLE webcal_user MODIFY cal_passwd VARCHAR(255);
1 change: 1 addition & 0 deletions install/sql/upgrade-ibase.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -302,3 +302,4 @@ CREATE TABLE webcal_TIMEZONES (
);
CREATE INDEX IWEBCAL_TIMEZONESNEWINDEX ON WEBCAL_TIMEZONES(TZID);
/*upgrade_v1.3.0*/
ALTER TABLE WEBCAL_USER ALTER CAL_PASSWD VARCHAR(255);
1 change: 1 addition & 0 deletions install/sql/upgrade-mssql.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,3 +288,4 @@ CREATE TABLE webcal_timezones (
PRIMARY KEY ( tzid )
);
/*upgrade_v1.3.0*/
ALTER TABLE webcal_user MODIFY cal_passwd VARCHAR(255) NULL;
2 changes: 1 addition & 1 deletion install/sql/upgrade-mysql.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -260,4 +260,4 @@ ALTER TABLE webcal_entry_categories
CREATE INDEX IF NOT EXISTS
webcal_entry_categories ON webcal_entry_categories(cat_id);
/*upgrade_v1.3.1*/

ALTER TABLE webcal_user MODIFY cal_passwd VARCHAR(255);
1 change: 1 addition & 0 deletions install/sql/upgrade-oracle.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,3 +288,4 @@ CREATE TABLE webcal_timezones (
PRIMARY KEY ( tzid )
);
/*upgrade_v1.3.0*/
ALTER TABLE webcal_user MODIFY cal_passwd VARCHAR2(255) NULL;
1 change: 1 addition & 0 deletions install/sql/upgrade-postgres.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -306,3 +306,4 @@ CREATE TABLE webcal_timezones (
PRIMARY KEY ( tzid )
);
/*upgrade_v1.3.0*/
ALTER TABLE webcal_user ALTER COLUMN cal_passwd TYPE VARCHAR(255);
2 changes: 2 additions & 0 deletions install/sql/upgrade.sql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -607,3 +607,5 @@ ALTER TABLE webcal_view MODIFY cal_view_id int UNSIGNED NOT NULL AUTO_INCREMENT
ALTER TABLE webcal_view_user ENGINE MyISAM CHARACTER SET utf8 COMMENT '<a name="webcal_view_user">''</a>Specify users in a view.';
ALTER TABLE webcal_view_user MODIFY cal_login varchar(25) NOT NULL COMMENT 'A user in the view. From <a href="#webcal_user">webcal_user</a> table.';
ALTER TABLE webcal_view_user MODIFY cal_view_id int UNSIGNED NOT NULL COMMENT 'view id from <a href="#webcal_view">webcal_view</a> table.' FIRST;
/*upgrade_v1.3.1*/
ALTER TABLE webcal_user MODIFY cal_passwd VARCHAR(255);

0 comments on commit 69d22af

Please sign in to comment.