From c6b4e326232c54e4086be6dedadb0cd0c3c0b28c Mon Sep 17 00:00:00 2001 From: ozhozh Date: Fri, 26 Aug 2011 16:31:23 +0000 Subject: [PATCH] Support for salted encrypted passwords. See issues 755 & 875. git-svn-id: http://yourls.googlecode.com/svn/trunk@678 12232710-3e20-11de-b438-597f59cd7555 --- changelog.txt | 1 + includes/functions-auth.php | 16 +++++++++++++++- readme.html | 1 + user/config-sample.php | 3 ++- 4 files changed, 19 insertions(+), 2 deletions(-) diff --git a/changelog.txt b/changelog.txt index 7bf3301..5bbe56a 100644 --- a/changelog.txt +++ b/changelog.txt @@ -71,6 +71,7 @@ list, simply refer to the commit messages: http://code.google.com/p/yourls/sourc 1.5.1 - added: full jsonp support +- added: ability to use encrypted passwords in the config file - added: hooks, hooks, hooks - fixed: bugs, bugs, bugs - improved: things, things, things diff --git a/includes/functions-auth.php b/includes/functions-auth.php index e1dc93e..84d71a5 100644 --- a/includes/functions-auth.php +++ b/includes/functions-auth.php @@ -73,13 +73,27 @@ function yourls_is_valid_user() { // Check auth against list of login=>pwd. Sets user if applicable, returns bool function yourls_check_username_password() { global $yourls_user_passwords; - if( isset( $yourls_user_passwords[ $_REQUEST['username'] ] ) && $yourls_user_passwords[ $_REQUEST['username'] ] == $_REQUEST['password'] ) { + if( isset( $yourls_user_passwords[ $_REQUEST['username'] ] ) && yourls_check_password_hash( $yourls_user_passwords[ $_REQUEST['username'] ], $_REQUEST['password'] ) ) { yourls_set_user( $_REQUEST['username'] ); return true; } return false; } +// Check a REQUEST password sent in plain text against stored password which can be a salted hash +function yourls_check_password_hash( $stored, $plaintext ) { + if ( substr( $stored, 0, 4 ) == 'md5:' and strlen( $stored ) == 42 ) { + // Stored password is a salted hash: "md5:<$r = rand(10000,99999)>:" + // And 42. Of course. http://www.google.com/search?q=the+answer+to+life+the+universe+and+everything + list( $temp, $salt, $md5 ) = split( ':', $stored ); + return( $stored == 'md5:'.$salt.':'.md5( $salt.$plaintext ) ); + } else { + // Password was sent in clear + return( $stored == $plaintext ); + } +} + + // Check auth against encrypted COOKIE data. Sets user if applicable, returns bool function yourls_check_auth_cookie() { global $yourls_user_passwords; diff --git a/readme.html b/readme.html index 9b09fb5..95c6dc0 100644 --- a/readme.html +++ b/readme.html @@ -357,6 +357,7 @@ Example: 'qQ4KhL_pu|s@Zm7n#%:b^{A[vhm'
  • yourls_user_passwords
    A list of username(s) and password(s) allowed to access the site if private
    + Passwords can either be in plain text, or encrypted: see http://yourls.org/userpassword for more information
    Example: 'joe' => 'mypassword'
    • diff --git a/user/config-sample.php b/user/config-sample.php index fb380b0..3679b96 100644 --- a/user/config-sample.php +++ b/user/config-sample.php @@ -46,7 +46,8 @@ /** A random secret hash used to encrypt cookies. You don't have to remember it, make it long and complicated. Hint: copy from http://yourls.org/cookie **/ define( 'YOURLS_COOKIEKEY', 'modify this text with something random' ); -/** Username(s) and password(s) allowed to access the site */ +/** Username(s) and password(s) allowed to access the site. Passwords either in plain text or as salted hashes. + ** Read http://yourls.org/userpassword for more information */ $yourls_user_passwords = array( 'username' => 'password', 'username2' => 'password2' // You can have one or more 'login'=>'password' lines -- 2.45.0