From 1ab13782594141c8b15f1ef12e3cdf7a35c4f7ff Mon Sep 17 00:00:00 2001
From: Gert <gert@gert.gert>
Date: Mon, 13 Apr 2015 13:10:56 +0200
Subject: [PATCH] fix flaws in authentication

---
 .../src/Grav/Common/User/Authentication.php   | 22 ++++++++++++-------
 system/src/Grav/Common/User/User.php          | 17 ++++++++++++--
 2 files changed, 29 insertions(+), 10 deletions(-)

diff --git a/system/src/Grav/Common/User/Authentication.php b/system/src/Grav/Common/User/Authentication.php
index 41b23122b..fc26bf8d7 100644
--- a/system/src/Grav/Common/User/Authentication.php
+++ b/system/src/Grav/Common/User/Authentication.php
@@ -13,11 +13,22 @@ abstract class Authentication
      * Create password hash from plaintext password.
      *
      * @param string $password  Plaintext password.
+     * @throws \RuntimeException
      * @return string|bool
      */
     public static function create($password)
     {
-        return password_hash($password, PASSWORD_DEFAULT);
+        if (!$password) {
+            throw new \RuntimeException('Password hashing failed: no password provided.');
+        }
+
+        $hash = password_hash($password, PASSWORD_DEFAULT);
+
+        if (!$hash) {
+            throw new \RuntimeException('Password hashing failed: internal error.');
+        }
+
+        return $hash;
     }
 
     /**
@@ -29,13 +40,8 @@ abstract class Authentication
      */
     public static function verify($password, $hash)
     {
-        // Always accept plaintext passwords (needs an update).
-        if ($password && $password == $hash) {
-            return 2;
-        }
-
-        // Fail if hash doesn't match.
-        if (!$password || !password_verify($password, $hash)) {
+        // Fail if hash doesn't match
+        if (!$password || !$hash || !password_verify($password, $hash)) {
             return 0;
         }
 
diff --git a/system/src/Grav/Common/User/User.php b/system/src/Grav/Common/User/User.php
index b3382b13d..fb9fd21f8 100644
--- a/system/src/Grav/Common/User/User.php
+++ b/system/src/Grav/Common/User/User.php
@@ -53,11 +53,24 @@ class User extends Data
      */
     public function authenticate($password)
     {
-        $result = Authentication::verify($password, $this->password);
+        $save = false;
+
+        if ($this->password) {
+            $save = true;
+
+            $this->hashed_password = Authentication::create($this->password);
+            unset($this->password);
+        }
+
+        $result = Authentication::verify($password, $this->hashed_password);
 
         // Password needs to be updated, save the file.
         if ($result == 2) {
-            $this->password = Authentication::create($password);
+            $save = true;
+            $this->hashed_password = Authentication::create($password);
+        }
+
+        if ($save) {
             $this->save();
         }