On Fri, 24 Feb 2017 at 22:02:04, Lukas Fleischer wrote:
Replace the default hash function used for storing passwords by password_hash() which internally uses bcrypt. Legacy MD5 hashes are still supported and are immediately converted to the new format when a user logs in.
Since big parts of the authentication system needed to be rewritten in this context, this patch also includes some simplification and refactoring of all code related to password checking and resetting.
Fixes FS#52297.
Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org> --- This replaces the SHA-512 patch sent earlier. Thanks to Johannes for suggesting to use bcrypt instead!
Again, it would be great if somebody could review the new patch!
schema/aur-schema.sql | 2 +- upgrading/4.5.0.txt | 6 ++ web/html/passreset.php | 5 +- web/lib/acctfuncs.inc.php | 144 +++++++++++++++++++--------------------------- web/lib/aur.inc.php | 57 ------------------ 5 files changed, 67 insertions(+), 147 deletions(-) [...] + /* Get password version, hash, as well as salt and authenticate. */ + $q = "SELECT Passwd, Salt FROM Users WHERE ID = " . intval($user_id); [...]
I forgot to update this comment. Fixed on pu.