From ec6f5193e20ad0e37daf2b855d59fdf03ae4111d Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Sun, 26 Nov 2017 14:46:08 -0500 Subject: [PATCH] Switch to User::authenticate - Removed hash('whirlpool') to check password --- include/api.php | 15 +++------ include/auth.php | 75 +++++++++++++++++++++------------------------ mod/removeme.php | 4 +-- mod/settings.php | 9 ++---- src/Util/ExAuth.php | 5 +-- 5 files changed, 46 insertions(+), 62 deletions(-) diff --git a/include/api.php b/include/api.php index a5e806384..e0dc413c2 100644 --- a/include/api.php +++ b/include/api.php @@ -12,6 +12,7 @@ use Friendica\Core\Config; use Friendica\Core\NotificationsManager; use Friendica\Core\Worker; use Friendica\Database\DBM; +use Friendica\Model\User; use Friendica\Network\HTTPException; use Friendica\Network\HTTPException\BadRequestException; use Friendica\Network\HTTPException\ForbiddenException; @@ -190,7 +191,6 @@ function api_login(App $a) $user = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; - $encrypted = hash('whirlpool', trim($password)); // allow "user@server" login (but ignore 'server' part) $at = strstr($user, "@", true); @@ -218,16 +218,9 @@ function api_login(App $a) if (($addon_auth['authenticated']) && (count($addon_auth['user_record']))) { $record = $addon_auth['user_record']; } else { - // process normal login request - $r = q( - "SELECT * FROM `user` WHERE (`email` = '%s' OR `nickname` = '%s') - AND `password` = '%s' AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1", - dbesc(trim($user)), - dbesc(trim($user)), - dbesc($encrypted) - ); - if (DBM::is_result($r)) { - $record = $r[0]; + $user_id = User::authenticate(trim($user), trim($password)); + if ($user_id) { + $record = dba::select('user', [], ['uid' => $user_id], ['limit' => 1]); } } diff --git a/include/auth.php b/include/auth.php index 90509468c..181ba71a6 100644 --- a/include/auth.php +++ b/include/auth.php @@ -4,6 +4,7 @@ use Friendica\App; use Friendica\Core\System; use Friendica\Core\Config; use Friendica\Database\DBM; +use Friendica\Model\User; require_once 'include/security.php'; require_once 'include/datetime.php'; @@ -98,41 +99,44 @@ if (isset($_SESSION) && x($_SESSION, 'authenticated') && (!x($_POST, 'auth-param } } else { session_unset(); - if (x($_POST, 'password') && strlen($_POST['password'])) { - $encrypted = hash('whirlpool', trim($_POST['password'])); - } else { - if ((x($_POST, 'openid_url')) && strlen($_POST['openid_url']) || - (x($_POST, 'username')) && strlen($_POST['username'])) { + if ( + !(x($_POST, 'password') && strlen($_POST['password'])) + && ( + x($_POST, 'openid_url') && strlen($_POST['openid_url']) + || x($_POST, 'username') && strlen($_POST['username']) + ) + ) { + $noid = Config::get('system', 'no_openid'); - $noid = Config::get('system', 'no_openid'); + $openid_url = trim(strlen($_POST['openid_url']) ? $_POST['openid_url'] : $_POST['username']); - $openid_url = trim((strlen($_POST['openid_url']) ? $_POST['openid_url'] : $_POST['username'])); + // validate_url alters the calling parameter - // validate_url alters the calling parameter - $temp_string = $openid_url; + $temp_string = $openid_url; - // if it's an email address or doesn't resolve to a URL, fail. - if ($noid || strpos($temp_string, '@') || !validate_url($temp_string)) { - $a = get_app(); - notice(t('Login failed.') . EOL); - goaway(System::baseUrl()); - // NOTREACHED - } + // if it's an email address or doesn't resolve to a URL, fail. - // Otherwise it's probably an openid. - try { - require_once('library/openid.php'); - $openid = new LightOpenID; - $openid->identity = $openid_url; - $_SESSION['openid'] = $openid_url; - $_SESSION['remember'] = $_POST['remember']; - $openid->returnUrl = System::baseUrl(true) . '/openid'; - goaway($openid->authUrl()); - } catch (Exception $e) { - notice(t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.') . '

' . t('The error message was:') . ' ' . $e->getMessage()); - } + if ($noid || strpos($temp_string, '@') || !validate_url($temp_string)) { + $a = get_app(); + notice(t('Login failed.') . EOL); + goaway(System::baseUrl()); // NOTREACHED } + + // Otherwise it's probably an openid. + + try { + require_once('library/openid.php'); + $openid = new LightOpenID; + $openid->identity = $openid_url; + $_SESSION['openid'] = $openid_url; + $_SESSION['remember'] = $_POST['remember']; + $openid->returnUrl = System::baseUrl(true) . '/openid'; + goaway($openid->authUrl()); + } catch (Exception $e) { + notice(t('We encountered a problem while logging in with the OpenID you provided. Please check the correct spelling of the ID.') . '

' . t('The error message was:') . ' ' . $e->getMessage()); + } + // NOTREACHED } if (x($_POST, 'auth-params') && $_POST['auth-params'] === 'login') { @@ -157,18 +161,9 @@ if (isset($_SESSION) && x($_SESSION, 'authenticated') && (!x($_POST, 'auth-param if ($addon_auth['authenticated'] && count($addon_auth['user_record'])) { $record = $addon_auth['user_record']; } else { - - // process normal login request - - $r = q("SELECT `user`.*, `user`.`pubkey` as `upubkey`, `user`.`prvkey` as `uprvkey` - FROM `user` WHERE (`email` = '%s' OR `nickname` = '%s') - AND `password` = '%s' AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified` LIMIT 1", - dbesc(trim($_POST['username'])), - dbesc(trim($_POST['username'])), - dbesc($encrypted) - ); - if (DBM::is_result($r)) { - $record = $r[0]; + $user_id = User::authenticate(trim($_POST['username']), trim($_POST['password'])); + if ($user_id) { + $record = dba::select('user', [], ['uid' => $user_id], ['limit' => 1]); } } diff --git a/mod/removeme.php b/mod/removeme.php index 2f4349a70..bf5969982 100644 --- a/mod/removeme.php +++ b/mod/removeme.php @@ -26,9 +26,7 @@ function removeme_post(App $a) return; } - $encrypted = hash('whirlpool',trim($_POST['qxz_password'])); - - if ((strlen($a->user['password'])) && ($encrypted === $a->user['password'])) { + if (User::authenticate($a->user['uid'], trim($_POST['qxz_password']))) { User::remove($a->user['uid']); // NOTREACHED } diff --git a/mod/settings.php b/mod/settings.php index 6a32b7ed0..7628f7782 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -9,6 +9,7 @@ use Friendica\Core\Config; use Friendica\Core\PConfig; use Friendica\Database\DBM; use Friendica\Model\GlobalContact; +use Friendica\Model\User; require_once 'include/group.php'; @@ -371,7 +372,6 @@ function settings_post(App $a) { $newpass = $_POST['password']; $confirm = $_POST['confirm']; - $oldpass = hash('whirlpool', $_POST['opassword']); $err = false; if ($newpass != $confirm) { @@ -386,8 +386,7 @@ function settings_post(App $a) { // check if the old password was supplied correctly before // changing it to the new value - $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user())); - if ($oldpass != $r[0]['password']) { + if (User::authenticate(intval(local_user()), $_POST['opassword'])) { notice(t('Wrong password.') . EOL); $err = true; } @@ -501,9 +500,7 @@ function settings_post(App $a) { if ($email != $a->user['email']) { $email_changed = true; // check for the correct password - $r = q("SELECT `password` FROM `user`WHERE `uid` = %d LIMIT 1", intval(local_user())); - $password = hash('whirlpool', $_POST['mpassword']); - if ($password != $r[0]['password']) { + if (!User::authenticate(intval(local_user()), $_POST['mpassword'])) { $err .= t('Wrong Password') . EOL; $email = $a->user['email']; } diff --git a/src/Util/ExAuth.php b/src/Util/ExAuth.php index aa3300c4e..f4dc7c052 100644 --- a/src/Util/ExAuth.php +++ b/src/Util/ExAuth.php @@ -37,6 +37,7 @@ namespace Friendica\Util; use Friendica\Core\Config; use Friendica\Core\PConfig; use Friendica\Database\DBM; +use Friendica\Model\User; use dba; require_once 'include/dba.php'; @@ -217,8 +218,8 @@ class ExAuth $aUser = dba::select('user', ['uid', 'password'], ['nickname' => $sUser], ['limit' => 1]); if (DBM::is_result($aUser)) { - $uid = $aUser['uid']; - $Error = $aUser['password'] != hash('whirlpool', $aCommand[3]); + $uid = User::authenticate($aUser, $aCommand[3]); + $Error = $uid === false; } else { $this->writeLog(LOG_WARNING, 'user not found: ' . $sUser); $Error = true;