X-Git-Url: https://git.nubati.net/cgi-bin/gitweb.cgi?p=e-DoKo.git;a=blobdiff_plain;f=include%2Fpreferences.php;h=a20913a420901219e3928b8cf7f2909e332a0607;hp=20b8eb5d5f04a041bdce98fe6e8f9b85ad46bf2a;hb=14f6017a5b84d70320bde9d6e074ea8ac948a85e;hpb=4281c9e477f9aafff66f8b9dd6912a2495b0e853 diff --git a/include/preferences.php b/include/preferences.php index 20b8eb5..a20913a 100644 --- a/include/preferences.php +++ b/include/preferences.php @@ -273,9 +273,9 @@ if(myisset("password0","password1","password2") && $_REQUEST["password0"]!="" & $changed_password = 1; /* check if old password matches */ - $oldpasswd = md5($_REQUEST["password0"]); - $password = DB_get_passwd_by_userid($myid); - if(!( ($password == $oldpasswd) || DB_check_recovery_passwords($oldpasswd,$email) )) + $result = verify_password($email, $_REQUEST["password0"]); + + if( $result!=0 ) $changed_password = -1; /* check if new password has been typed in correctly */ @@ -288,8 +288,19 @@ if(myisset("password0","password1","password2") && $_REQUEST["password0"]!="" & if($changed_password==1) { - DB_query("UPDATE User SET password='".md5($_REQUEST["password1"]). + // create a password hash using the crypt function, need php 5.3 for this + // create and random salt + $salt = substr(str_replace('+', '.', base64_encode(sha1(microtime(true), true))), 0, 22); + // hash incoming password using 12 rounds of blowfish + $hash = crypt($_REQUEST["password1"], '$2y$12$' . $salt); + + DB_query("UPDATE User SET password='".$hash. "' WHERE id=".DB_quote_smart($myid)); + + /* in case this was done using a recovery password delete that password */ + $tmppasswd = md5($_REQUEST["password0"]); + if(DB_check_recovery_passwords($tmppasswd,$email)) + DB_delete_recovery_passwords($myid); } /* error output below */ } @@ -546,14 +557,7 @@ echo "\n"; // add jquery date picker if html5 is not available ?>