[arch-general] Can't login to flyspray
Markus Schaaf
markuschaaf at gmail.com
Fri Apr 16 19:00:52 UTC 2021
Am 16.04.21 um 20:31 schrieb Justin Capella via arch-general:
> Can't help but think that if there is a length limit to a password it is
> plaintext in the database.
Good catch, but no:
https://github.com/Flyspray/flyspray/blob/master/scripts/authenticate.php
> Latest commit 1528f9d on 2 Sep 2019
> # upgrade from unsalted md5 or unsalted sha1 or unsalted sha512 to better
> if($conf['general']['passwdcrypt']=='argon2i'){
> $newhash=password_hash($password, PASSWORD_ARGON2I);
> }else{
> $cryptoptions=array('cost'=>12);
> $newhash=password_hash($password, PASSWORD_BCRYPT, $cryptoptions);
> }
> # save the new hash
> $db->query("UPDATE {users} SET user_pass=? WHERE user_id=?", array($newhash, $user_id));
More information about the arch-general
mailing list