mirror of
https://github.com/Lastorder-DC/rhymix.git
synced 2026-01-06 10:11:38 +09:00
Fix truncated password hash for documents and comments written by non-members, if member module is configured to use a hashing algorithm that produces more than 60 chars
This commit is contained in:
Kijin Sung
parent
10cd76d0be
commit
f34c27c26b
3 changed files with 31 additions and 4 deletions
|
|
@ -138,6 +138,33 @@ class Password
|
|||
return $algorithm;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the current default hashing algorithm, unless it will produce
|
||||
* hashes that are longer than 60 characters.
|
||||
*
|
||||
* In that case, this method returns the next best supported algorithm
|
||||
* that produces 60-character (or shorter) hashes. This helps maintain
|
||||
* compatibility with old tables that still have varchar(60) columns.
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public static function getBackwardCompatibleAlgorithm()
|
||||
{
|
||||
$algorithm = self::getDefaultAlgorithm();
|
||||
if (!in_array($algorithm, ['bcrypt', 'pbkdf2', 'sha1', 'md5']))
|
||||
{
|
||||
$candidates = self::getSupportedAlgorithms();
|
||||
foreach ($candidates as $algorithm)
|
||||
{
|
||||
if (in_array($algorithm, ['bcrypt', 'pbkdf2', 'sha1', 'md5']))
|
||||
{
|
||||
return $algorithm;
|
||||
}
|
||||
}
|
||||
}
|
||||
return $algorithm;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the currently configured work factor for bcrypt and other adjustable algorithms.
|
||||
*
|
||||
|
|
|
|||
|
|
@ -486,7 +486,7 @@ class CommentController extends Comment
|
|||
// even for manual_inserted if password exists, hash it.
|
||||
if($obj->password)
|
||||
{
|
||||
$obj->password = MemberModel::hashPassword($obj->password);
|
||||
$obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm());
|
||||
}
|
||||
|
||||
// get the original posting
|
||||
|
|
@ -871,7 +871,7 @@ class CommentController extends Comment
|
|||
|
||||
if($obj->password)
|
||||
{
|
||||
$obj->password = MemberModel::hashPassword($obj->password);
|
||||
$obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm());
|
||||
}
|
||||
|
||||
if($obj->homepage)
|
||||
|
|
|
|||
|
|
@ -623,7 +623,7 @@ class DocumentController extends Document
|
|||
// Check the status of password hash for manually inserting. Apply hashing for otherwise.
|
||||
if($obj->password && !$obj->password_is_hashed)
|
||||
{
|
||||
$obj->password = MemberModel::hashPassword($obj->password);
|
||||
$obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm());
|
||||
}
|
||||
|
||||
// Insert member's information only if the member is logged-in and not manually registered.
|
||||
|
|
@ -901,7 +901,7 @@ class DocumentController extends Document
|
|||
// Hash the password if it exists
|
||||
if($obj->password)
|
||||
{
|
||||
$obj->password = MemberModel::hashPassword($obj->password);
|
||||
$obj->password = \Rhymix\Framework\Password::hashPassword($obj->password, \Rhymix\Framework\Password::getBackwardCompatibleAlgorithm());
|
||||
}
|
||||
|
||||
// If an author is identical to the modifier or history is used, use the logged-in user's information.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue