commit 3933aaaa49d7188a620877ff8adbc4262c61c4ef
parent addbaf23d01e973961d1dd415ff63b499e2f834c
Author: dankert <devnull@localhost>
Date: Sat, 20 Feb 2010 01:48:21 +0100
Kennwort-\"Salt\", um Angriffe mit Rainbow-Tabellen zu vermeiden.
Diffstat:
2 files changed, 35 insertions(+), 3 deletions(-)
diff --git a/config/security.ini.php b/config/security.ini.php
@@ -118,6 +118,15 @@ random_length=8
; minimum passwort length
min_length=5
+; Password "salt"
+; '' : no salt (default)
+; 'id' : salt the password with userid
+; 'username': salt the password with username
+; 'custom' : use the 'salt_text'-setting
+salt = ""
+
+salt_text = "somerandomtext"
+
; this section is needed if the setting "auth/type" is 'http'.
@@ -135,7 +144,7 @@ url = "http://example.net/restricted-area"
; and so the user must only remember 1 password.
[authdb]
-; 'mysql' or 'postgresql'
+; 'mysql', 'postgresql' or 'sqlite'
type = postgresql
user = dbuser
diff --git a/objectClasses/User.class.php b/objectClasses/User.class.php
@@ -703,7 +703,7 @@ SQL
// Login nicht erfolgreich
return false;
}
- elseif ( $row_user['password'] == md5( $password ) )
+ elseif ( $row_user['password'] == md5( $this->saltPassword($password) ) )
{
// Die Kennwort-Pr�fsumme stimmt mit dem aus der Datenbank �berein.
// Juchuu, Login ist erfolgreich.
@@ -771,7 +771,7 @@ SQL
'WHERE id={userid}' );
if ( $always )
- $sql->setString('password',md5($password) );
+ $sql->setString('password',md5($this->saltPassword($password)) );
else
$sql->setString('password',$password );
@@ -1101,6 +1101,29 @@ SQL
return $pw;
}
+
+
+ /**
+ * Das Kennwort "salzen".
+ *
+ * @param Kennwort
+ * @return Das gesalzene Kennwort
+ */
+ function saltPassword( $pass )
+ {
+ switch( config('security','password','salt') )
+ {
+ case 'userid':
+ return $this->userid.$pass;
+ case 'username':
+ return $this->name.$pass;
+ case 'custom':
+ return config('security','password','salt_text').$pass;
+ default:
+ return $pass;
+ }
+
+ }
}
?>
\ No newline at end of file