MD5 passwords, including code from Robert Hartman and John Gray.
git-svn-id: https://develop.svn.wordpress.org/trunk@850 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Matt Mullenweg
parent
9806f14f7d
commit
15deed87d1
@ -2,7 +2,7 @@
|
||||
|
||||
require_once('../wp-config.php');
|
||||
|
||||
/* checking login & pass in the database */
|
||||
/* Checking login & pass in the database */
|
||||
function veriflog() {
|
||||
global $HTTP_COOKIE_VARS,$cookiehash;
|
||||
global $tableusers, $wpdb;
|
||||
@ -31,19 +31,18 @@ function veriflog() {
|
||||
}
|
||||
}
|
||||
}
|
||||
//if ( $user_login!="" && $user_pass!="" && $id_session!="" && $adresse_ip==$REMOTE_ADDR) {
|
||||
// if ( !(veriflog()) AND !(verifcookielog()) ) {
|
||||
if (!(veriflog())) {
|
||||
|
||||
if ( !veriflog() ) {
|
||||
header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');
|
||||
header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
|
||||
header('Cache-Control: no-cache, must-revalidate');
|
||||
header('Pragma: no-cache');
|
||||
if (!empty($HTTP_COOKIE_VARS["wordpressuser_".$cookiehash])) {
|
||||
$error="<strong>Error</strong>: wrong login or password";
|
||||
$error="<strong>Error</strong>: wrong login or password.";
|
||||
}
|
||||
$redir = "Location: $siteurl/wp-login.php?redirect_to=" . urlencode($HTTP_SERVER_VARS["REQUEST_URI"]);
|
||||
header($redir);
|
||||
exit();
|
||||
}
|
||||
//}
|
||||
|
||||
?>
|
||||
@ -75,7 +75,7 @@ case 'update':
|
||||
if ($HTTP_POST_VARS["pass1"] != $HTTP_POST_VARS["pass2"])
|
||||
die ("<strong>ERROR</strong>: you typed two different passwords. Go back to correct that.");
|
||||
$newuser_pass = $HTTP_POST_VARS["pass1"];
|
||||
$updatepassword = "user_pass='$newuser_pass', ";
|
||||
$updatepassword = "user_pass=MD5('$newuser_pass'), ";
|
||||
setcookie("wordpresspass_".$cookiehash,md5($newuser_pass),time()+31536000);
|
||||
}
|
||||
|
||||
@ -344,4 +344,5 @@ break;
|
||||
}
|
||||
|
||||
/* </Profile | My Profile> */
|
||||
include('admin-footer.php') ?>
|
||||
include('admin-footer.php');
|
||||
?>
|
||||
@ -680,6 +680,19 @@ function upgrade_110() {
|
||||
maybe_add_column($tableusers, 'user_status', "ALTER TABLE `$tableusers` ADD `user_status` INT DEFAULT '0' NOT NULL ;");
|
||||
$wpdb->query("ALTER TABLE `$tableposts` CHANGE `comment_status` `comment_status` ENUM( 'open', 'closed', 'registered_only' ) DEFAULT 'open' NOT NULL");
|
||||
|
||||
// Convert passwords to MD5 and update table appropiately
|
||||
$query = 'DESCRIBE wp_users user_pass';
|
||||
$res = $wpdb->get_results($query);
|
||||
if ($res[0]['Type'] != 'varchar(32)') {
|
||||
$wpdb->query('ALTER TABLE wp_users MODIFY user_pass varchar(64) not null');
|
||||
}
|
||||
|
||||
$query = 'SELECT ID, user_pass from wp_users';
|
||||
foreach ($wpdb->get_results($query) as $row) {
|
||||
if (!preg_match('/^[A-Fa-f0-9]{32}$/', $row->user_pass)) {
|
||||
$wpdb->query('UPDATE wp_users SET user_pass = MD5(\''.$row->user_pass.'\') WHERE ID = \''.$row->ID.'\'');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
@ -73,7 +73,7 @@ case 'adduser':
|
||||
$result = $wpdb->query("INSERT INTO $tableusers
|
||||
(user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode, user_firstname, user_lastname)
|
||||
VALUES
|
||||
('$user_login', '$pass1', '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')");
|
||||
('$user_login', MD5('$pass1'), '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')");
|
||||
|
||||
if ($result == false) {
|
||||
die ('<strong>ERROR</strong>: Couldn’t register you... please contact the <a href="mailto:'.$admin_email.'">webmaster</a> !');
|
||||
|
||||
31
wp-login.php
31
wp-login.php
@ -59,9 +59,9 @@ break;
|
||||
case 'login':
|
||||
|
||||
if(!empty($HTTP_POST_VARS)) {
|
||||
$log = $HTTP_POST_VARS["log"];
|
||||
$pwd = $HTTP_POST_VARS["pwd"];
|
||||
$redirect_to = $HTTP_POST_VARS["redirect_to"];
|
||||
$log = $HTTP_POST_VARS['log'];
|
||||
$pwd = $HTTP_POST_VARS['pwd'];
|
||||
$redirect_to = $HTTP_POST_VARS['redirect_to'];
|
||||
}
|
||||
|
||||
$user = get_userdatabylogin($log);
|
||||
@ -74,37 +74,32 @@ case 'login':
|
||||
global $wpdb, $log, $pwd, $error, $user_ID;
|
||||
global $tableusers, $pass_is_md5;
|
||||
$user_login = &$log;
|
||||
$pwd = md5($pwd);
|
||||
$password = &$pwd;
|
||||
if (!$user_login) {
|
||||
$error="<strong>ERROR</strong>: the login field is empty";
|
||||
$error = '<strong>Error</strong>: the login field is empty.';
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!$password) {
|
||||
$error="<strong>ERROR</strong>: the password field is empty";
|
||||
$error = '<strong>Error</strong>: the password field is empty.';
|
||||
return false;
|
||||
}
|
||||
|
||||
if ('md5:' == substr($password, 0, 4)) {
|
||||
$pass_is_md5 = 1;
|
||||
$password = substr($password, 4, strlen($password));
|
||||
$query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND MD5(user_pass) = '$password'";
|
||||
} else {
|
||||
$pass_is_md5 = 0;
|
||||
$query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND user_pass = '$password'";
|
||||
}
|
||||
|
||||
$login = $wpdb->get_row($query);
|
||||
|
||||
if (!$login) {
|
||||
$error = '<b>ERROR</b>: wrong login or password';
|
||||
$error = '<strong>Error</strong>: wrong login or password.';
|
||||
$pwd = '';
|
||||
return false;
|
||||
} else {
|
||||
$user_ID = $login->ID;
|
||||
if (($pass_is_md5 == 0 && $login->user_login == $user_login && $login->user_pass == $password) || ($pass_is_md5 == 1 && $login->user_login == $user_login && md5($login->user_pass) == $password)) {
|
||||
if (($pass_is_md5 == 0 && $login->user_login == $user_login && $login->user_pass == $password) || ($pass_is_md5 == 1 && $login->user_login == $user_login && $login->user_pass == md5($password))) {
|
||||
return true;
|
||||
} else {
|
||||
$error = '<b>ERROR</b>: wrong login or password';
|
||||
$error = '<strong>Error</strong>: wrong login or password.';
|
||||
$pwd = '';
|
||||
return false;
|
||||
}
|
||||
@ -126,11 +121,7 @@ case 'login':
|
||||
$user_login = $log;
|
||||
$user_pass = $pwd;
|
||||
setcookie('wordpressuser_'.$cookiehash, $user_login, time()+31536000);
|
||||
if ($pass_is_md5) {
|
||||
setcookie('wordpresspass_'.$cookiehash, $user_pass, time()+31536000);
|
||||
} else {
|
||||
setcookie('wordpresspass_'.$cookiehash, md5($user_pass), time()+31536000);
|
||||
}
|
||||
if (empty($HTTP_COOKIE_VARS['wordpressblogid_'.$cookiehash])) {
|
||||
setcookie('wordpressblogid_'.$cookiehash, 1,time()+31536000);
|
||||
}
|
||||
@ -227,6 +218,8 @@ case 'retrievepassword':
|
||||
} else {
|
||||
echo "<p>The email was sent successfully to $user_login's email address.<br />
|
||||
<a href='wp-login.php' title='Check your email first, of course'>Click here to login!</a></p>";
|
||||
// send a copy of password change notification to the admin
|
||||
mail($admin_email, "[$blogname] Password Lost/Change", "Password Lost and Changed for user: $user_login");
|
||||
die();
|
||||
}
|
||||
|
||||
|
||||
@ -92,7 +92,7 @@ case 'register':
|
||||
$result = $wpdb->query("INSERT INTO $tableusers
|
||||
(user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode)
|
||||
VALUES
|
||||
('$user_login', '$pass1', '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname')");
|
||||
('$user_login', MD5('$pass1'), '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname')");
|
||||
|
||||
if ($result == false) {
|
||||
die ('<strong>ERROR</strong>: Couldn’t register you... please contact the <a href="mailto:'.$admin_email.'">webmaster</a> !');
|
||||
|
||||
Loading…
Reference in New Issue
Block a user