[aur-dev] [PATCH] Use bcrypt to hash passwords
Lukas Fleischer
lfleischer at archlinux.org
Fri Feb 24 21:08:13 UTC 2017
On Fri, 24 Feb 2017 at 22:02:04, Lukas Fleischer wrote:
> Replace the default hash function used for storing passwords by
> password_hash() which internally uses bcrypt. Legacy MD5 hashes are
> still supported and are immediately converted to the new format when a
> user logs in.
>
> Since big parts of the authentication system needed to be rewritten in
> this context, this patch also includes some simplification and
> refactoring of all code related to password checking and resetting.
>
> Fixes FS#52297.
>
> Signed-off-by: Lukas Fleischer <lfleischer at archlinux.org>
> ---
> This replaces the SHA-512 patch sent earlier. Thanks to Johannes for
> suggesting to use bcrypt instead!
>
> Again, it would be great if somebody could review the new patch!
>
> schema/aur-schema.sql | 2 +-
> upgrading/4.5.0.txt | 6 ++
> web/html/passreset.php | 5 +-
> web/lib/acctfuncs.inc.php | 144 +++++++++++++++++++---------------------------
> web/lib/aur.inc.php | 57 ------------------
> 5 files changed, 67 insertions(+), 147 deletions(-)
> [...]
> + /* Get password version, hash, as well as salt and authenticate. */
> + $q = "SELECT Passwd, Salt FROM Users WHERE ID = " . intval($user_id);
> [...]
I forgot to update this comment. Fixed on pu.
More information about the aur-dev
mailing list