MD5 passwords, including code from Robert Hartman and John Gray.

git-svn-id: https://develop.svn.wordpress.org/trunk@850 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Matt Mullenweg 2004-02-09 09:56:57 +00:00
parent 9806f14f7d
commit 15deed87d1
6 changed files with 46 additions and 40 deletions

View File

@ -2,7 +2,7 @@
require_once('../wp-config.php'); require_once('../wp-config.php');
/* checking login & pass in the database */ /* Checking login & pass in the database */
function veriflog() { function veriflog() {
global $HTTP_COOKIE_VARS,$cookiehash; global $HTTP_COOKIE_VARS,$cookiehash;
global $tableusers, $wpdb; global $tableusers, $wpdb;
@ -31,19 +31,18 @@ function veriflog() {
} }
} }
} }
//if ( $user_login!="" && $user_pass!="" && $id_session!="" && $adresse_ip==$REMOTE_ADDR) {
// if ( !(veriflog()) AND !(verifcookielog()) ) { if ( !veriflog() ) {
if (!(veriflog())) { header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');
header('Expires: Wed, 11 Jan 1984 05:00:00 GMT'); header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); header('Cache-Control: no-cache, must-revalidate');
header('Cache-Control: no-cache, must-revalidate'); header('Pragma: no-cache');
header('Pragma: no-cache'); if (!empty($HTTP_COOKIE_VARS["wordpressuser_".$cookiehash])) {
if (!empty($HTTP_COOKIE_VARS["wordpressuser_".$cookiehash])) { $error="<strong>Error</strong>: wrong login or password.";
$error="<strong>Error</strong>: wrong login or password";
}
$redir = "Location: $siteurl/wp-login.php?redirect_to=" . urlencode($HTTP_SERVER_VARS["REQUEST_URI"]);
header($redir);
exit();
} }
//} $redir = "Location: $siteurl/wp-login.php?redirect_to=" . urlencode($HTTP_SERVER_VARS["REQUEST_URI"]);
header($redir);
exit();
}
?> ?>

View File

@ -75,7 +75,7 @@ case 'update':
if ($HTTP_POST_VARS["pass1"] != $HTTP_POST_VARS["pass2"]) if ($HTTP_POST_VARS["pass1"] != $HTTP_POST_VARS["pass2"])
die ("<strong>ERROR</strong>: you typed two different passwords. Go back to correct that."); die ("<strong>ERROR</strong>: you typed two different passwords. Go back to correct that.");
$newuser_pass = $HTTP_POST_VARS["pass1"]; $newuser_pass = $HTTP_POST_VARS["pass1"];
$updatepassword = "user_pass='$newuser_pass', "; $updatepassword = "user_pass=MD5('$newuser_pass'), ";
setcookie("wordpresspass_".$cookiehash,md5($newuser_pass),time()+31536000); setcookie("wordpresspass_".$cookiehash,md5($newuser_pass),time()+31536000);
} }
@ -344,4 +344,5 @@ break;
} }
/* </Profile | My Profile> */ /* </Profile | My Profile> */
include('admin-footer.php') ?> include('admin-footer.php');
?>

View File

@ -679,7 +679,20 @@ function upgrade_110() {
maybe_add_column($tableusers, 'user_activation_key', "ALTER TABLE `$tableusers` ADD `user_activation_key` VARCHAR( 60 ) NOT NULL ;"); maybe_add_column($tableusers, 'user_activation_key', "ALTER TABLE `$tableusers` ADD `user_activation_key` VARCHAR( 60 ) NOT NULL ;");
maybe_add_column($tableusers, 'user_status', "ALTER TABLE `$tableusers` ADD `user_status` INT DEFAULT '0' NOT NULL ;"); maybe_add_column($tableusers, 'user_status', "ALTER TABLE `$tableusers` ADD `user_status` INT DEFAULT '0' NOT NULL ;");
$wpdb->query("ALTER TABLE `$tableposts` CHANGE `comment_status` `comment_status` ENUM( 'open', 'closed', 'registered_only' ) DEFAULT 'open' NOT NULL"); $wpdb->query("ALTER TABLE `$tableposts` CHANGE `comment_status` `comment_status` ENUM( 'open', 'closed', 'registered_only' ) DEFAULT 'open' NOT NULL");
// Convert passwords to MD5 and update table appropiately
$query = 'DESCRIBE wp_users user_pass';
$res = $wpdb->get_results($query);
if ($res[0]['Type'] != 'varchar(32)') {
$wpdb->query('ALTER TABLE wp_users MODIFY user_pass varchar(64) not null');
}
$query = 'SELECT ID, user_pass from wp_users';
foreach ($wpdb->get_results($query) as $row) {
if (!preg_match('/^[A-Fa-f0-9]{32}$/', $row->user_pass)) {
$wpdb->query('UPDATE wp_users SET user_pass = MD5(\''.$row->user_pass.'\') WHERE ID = \''.$row->ID.'\'');
}
}
} }
?> ?>

View File

@ -73,7 +73,7 @@ case 'adduser':
$result = $wpdb->query("INSERT INTO $tableusers $result = $wpdb->query("INSERT INTO $tableusers
(user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode, user_firstname, user_lastname) (user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode, user_firstname, user_lastname)
VALUES VALUES
('$user_login', '$pass1', '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')"); ('$user_login', MD5('$pass1'), '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')");
if ($result == false) { if ($result == false) {
die ('<strong>ERROR</strong>: Couldn&#8217;t register you... please contact the <a href="mailto:'.$admin_email.'">webmaster</a> !'); die ('<strong>ERROR</strong>: Couldn&#8217;t register you... please contact the <a href="mailto:'.$admin_email.'">webmaster</a> !');

View File

@ -59,9 +59,9 @@ break;
case 'login': case 'login':
if(!empty($HTTP_POST_VARS)) { if(!empty($HTTP_POST_VARS)) {
$log = $HTTP_POST_VARS["log"]; $log = $HTTP_POST_VARS['log'];
$pwd = $HTTP_POST_VARS["pwd"]; $pwd = $HTTP_POST_VARS['pwd'];
$redirect_to = $HTTP_POST_VARS["redirect_to"]; $redirect_to = $HTTP_POST_VARS['redirect_to'];
} }
$user = get_userdatabylogin($log); $user = get_userdatabylogin($log);
@ -74,37 +74,32 @@ case 'login':
global $wpdb, $log, $pwd, $error, $user_ID; global $wpdb, $log, $pwd, $error, $user_ID;
global $tableusers, $pass_is_md5; global $tableusers, $pass_is_md5;
$user_login = &$log; $user_login = &$log;
$pwd = md5($pwd);
$password = &$pwd; $password = &$pwd;
if (!$user_login) { if (!$user_login) {
$error="<strong>ERROR</strong>: the login field is empty"; $error = '<strong>Error</strong>: the login field is empty.';
return false; return false;
} }
if (!$password) { if (!$password) {
$error="<strong>ERROR</strong>: the password field is empty"; $error = '<strong>Error</strong>: the password field is empty.';
return false; return false;
} }
if ('md5:' == substr($password, 0, 4)) { $query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND user_pass = '$password'";
$pass_is_md5 = 1;
$password = substr($password, 4, strlen($password));
$query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND MD5(user_pass) = '$password'";
} else {
$pass_is_md5 = 0;
$query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND user_pass = '$password'";
}
$login = $wpdb->get_row($query); $login = $wpdb->get_row($query);
if (!$login) { if (!$login) {
$error = '<b>ERROR</b>: wrong login or password'; $error = '<strong>Error</strong>: wrong login or password.';
$pwd = ''; $pwd = '';
return false; return false;
} else { } else {
$user_ID = $login->ID; $user_ID = $login->ID;
if (($pass_is_md5 == 0 && $login->user_login == $user_login && $login->user_pass == $password) || ($pass_is_md5 == 1 && $login->user_login == $user_login && md5($login->user_pass) == $password)) { if (($pass_is_md5 == 0 && $login->user_login == $user_login && $login->user_pass == $password) || ($pass_is_md5 == 1 && $login->user_login == $user_login && $login->user_pass == md5($password))) {
return true; return true;
} else { } else {
$error = '<b>ERROR</b>: wrong login or password'; $error = '<strong>Error</strong>: wrong login or password.';
$pwd = ''; $pwd = '';
return false; return false;
} }
@ -126,11 +121,7 @@ case 'login':
$user_login = $log; $user_login = $log;
$user_pass = $pwd; $user_pass = $pwd;
setcookie('wordpressuser_'.$cookiehash, $user_login, time()+31536000); setcookie('wordpressuser_'.$cookiehash, $user_login, time()+31536000);
if ($pass_is_md5) { setcookie('wordpresspass_'.$cookiehash, md5($user_pass), time()+31536000);
setcookie('wordpresspass_'.$cookiehash, $user_pass, time()+31536000);
} else {
setcookie('wordpresspass_'.$cookiehash, md5($user_pass), time()+31536000);
}
if (empty($HTTP_COOKIE_VARS['wordpressblogid_'.$cookiehash])) { if (empty($HTTP_COOKIE_VARS['wordpressblogid_'.$cookiehash])) {
setcookie('wordpressblogid_'.$cookiehash, 1,time()+31536000); setcookie('wordpressblogid_'.$cookiehash, 1,time()+31536000);
} }
@ -227,6 +218,8 @@ case 'retrievepassword':
} else { } else {
echo "<p>The email was sent successfully to $user_login's email address.<br /> echo "<p>The email was sent successfully to $user_login's email address.<br />
<a href='wp-login.php' title='Check your email first, of course'>Click here to login!</a></p>"; <a href='wp-login.php' title='Check your email first, of course'>Click here to login!</a></p>";
// send a copy of password change notification to the admin
mail($admin_email, "[$blogname] Password Lost/Change", "Password Lost and Changed for user: $user_login");
die(); die();
} }

View File

@ -92,7 +92,7 @@ case 'register':
$result = $wpdb->query("INSERT INTO $tableusers $result = $wpdb->query("INSERT INTO $tableusers
(user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode) (user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode)
VALUES VALUES
('$user_login', '$pass1', '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname')"); ('$user_login', MD5('$pass1'), '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname')");
if ($result == false) { if ($result == false) {
die ('<strong>ERROR</strong>: Couldn&#8217;t register you... please contact the <a href="mailto:'.$admin_email.'">webmaster</a> !'); die ('<strong>ERROR</strong>: Couldn&#8217;t register you... please contact the <a href="mailto:'.$admin_email.'">webmaster</a> !');