Nemcio/Grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2026-05-09 04:36:02 +02:00
Code Issues Packages Projects Releases Activity

fix flaws in authentication

Browse Source
This commit is contained in:
Gert
2015-04-13 13:10:56 +02:00
parent 7d16bafd52
commit 1ab1378259
2 changed files with 29 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
system/src/Grav/Common/User/Authentication.php
View File

@@ -13,11 +13,22 @@ abstract class Authentication
* Create password hash from plaintext password.
*
* @param string $password Plaintext password.
* @throws \RuntimeException
* @return string|bool
*/
public static function create($password)
{
return password_hash($password, PASSWORD_DEFAULT);
if (!$password) {
throw new \RuntimeException('Password hashing failed: no password provided.');
}
$hash = password_hash($password, PASSWORD_DEFAULT);
if (!$hash) {
throw new \RuntimeException('Password hashing failed: internal error.');
}
return $hash;
}
/**
@@ -29,13 +40,8 @@ abstract class Authentication
*/
public static function verify($password, $hash)
{
// Always accept plaintext passwords (needs an update).
if ($password && $password == $hash) {
return 2;
}
// Fail if hash doesn't match.
if (!$password || !password_verify($password, $hash)) {
// Fail if hash doesn't match
if (!$password || !$hash || !password_verify($password, $hash)) {
return 0;
}

17
system/src/Grav/Common/User/User.php
View File

@@ -53,11 +53,24 @@ class User extends Data
*/
public function authenticate($password)
{
$result = Authentication::verify($password, $this->password);
$save = false;
if ($this->password) {
$save = true;
$this->hashed_password = Authentication::create($this->password);
unset($this->password);
}
$result = Authentication::verify($password, $this->hashed_password);
// Password needs to be updated, save the file.
if ($result == 2) {
$this->password = Authentication::create($password);
$save = true;
$this->hashed_password = Authentication::create($password);
}
if ($save) {
$this->save();
}