generate a random salt during installation and store it in the config.php. use it to salt the password hashing.
This commit is contained in:
parent
4d3b7574f3
commit
6119f05ac0
|
@ -24,6 +24,9 @@ $CONFIG = array(
|
|||
/* Prefix for the OwnCloud tables in the database */
|
||||
"dbtableprefix" => "",
|
||||
|
||||
/* Define the salt used to hash the user passwords. All your user passwords are lost if you lose this string. */
|
||||
"passwordsalt" => "",
|
||||
|
||||
/* Force use of HTTPS connection (true = use HTTPS) */
|
||||
"forcessl" => false,
|
||||
|
||||
|
|
|
@ -73,6 +73,10 @@ class OC_Setup {
|
|||
$dbtype='sqlite3';
|
||||
}
|
||||
|
||||
//generate a random salt that is used to salt the local user passwords
|
||||
$salt=mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000).mt_rand(1000,9000);
|
||||
OC_Config::setValue('passwordsalt', $salt);
|
||||
|
||||
//write the config file
|
||||
OC_Config::setValue('datadirectory', $datadir);
|
||||
OC_Config::setValue('dbtype', $dbtype);
|
||||
|
|
|
@ -69,7 +69,7 @@ class OC_User_Database extends OC_User_Backend {
|
|||
return false;
|
||||
}else{
|
||||
$hasher=$this->getHasher();
|
||||
$hash = $hasher->HashPassword($password);
|
||||
$hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
|
||||
$query = OC_DB::prepare( "INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )" );
|
||||
$result = $query->execute( array( $uid, $hash));
|
||||
|
||||
|
@ -102,7 +102,7 @@ class OC_User_Database extends OC_User_Backend {
|
|||
public function setPassword( $uid, $password ){
|
||||
if( $this->userExists($uid) ){
|
||||
$hasher=$this->getHasher();
|
||||
$hash = $hasher->HashPassword($password);
|
||||
$hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
|
||||
$query = OC_DB::prepare( "UPDATE *PREFIX*users SET password = ? WHERE uid = ?" );
|
||||
$result = $query->execute( array( $hash, $uid ));
|
||||
|
||||
|
@ -131,7 +131,7 @@ class OC_User_Database extends OC_User_Backend {
|
|||
$storedHash=$row['password'];
|
||||
if (substr($storedHash,0,1)=='$'){//the new phpass based hashing
|
||||
$hasher=$this->getHasher();
|
||||
if($hasher->CheckPassword($password, $storedHash)){
|
||||
if($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''), $storedHash)){
|
||||
return $row['uid'];
|
||||
}else{
|
||||
return false;
|
||||
|
|
Loading…
Reference in New Issue