Changeset 850

Timestamp:

02/09/04 09:56:57 (14 years ago)

Author:

saxmatt

Message:

MD5 passwords, including code from Robert Hartman and John Gray.

Location:

trunk

Files:

• wp-admin/auth.php (modified) (2 diffs)
• wp-admin/profile.php (modified) (2 diffs)
• wp-admin/upgrade-functions.php (modified) (1 diff)
• wp-admin/users.php (modified) (1 diff)
• wp-login.php (modified) (4 diffs)
• wp-register.php (modified) (1 diff)

trunk/wp-admin/auth.php

@@ -3 +3 @@
 require_once('../wp-config.php');
 
-/* checking login & pass in the database */
+/* Checking login & pass in the database */
 function veriflog() {
     global $HTTP_COOKIE_VARS,$cookiehash;
@@ -32 +32 @@
     }
 }
-//if ( $user_login!="" && $user_pass!="" && $id_session!="" && $adresse_ip==$REMOTE_ADDR) {
-//  if ( !(veriflog()) AND !(verifcookielog()) ) {
-    if (!(veriflog())) {
-        header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');
-        header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
-        header('Cache-Control: no-cache, must-revalidate');
-        header('Pragma: no-cache');
-        if (!empty($HTTP_COOKIE_VARS["wordpressuser_".$cookiehash])) {
-            $error="<strong>Error</strong>: wrong login or password";
-        }
-        $redir = "Location: $siteurl/wp-login.php?redirect_to=" . urlencode($HTTP_SERVER_VARS["REQUEST_URI"]);
-        header($redir);
-        exit();
+
+if ( !veriflog() ) {
+    header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');
+    header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
+    header('Cache-Control: no-cache, must-revalidate');
+    header('Pragma: no-cache');
+    if (!empty($HTTP_COOKIE_VARS["wordpressuser_".$cookiehash])) {
+        $error="<strong>Error</strong>: wrong login or password.";
     }
-//}
+    $redir = "Location: $siteurl/wp-login.php?redirect_to=" . urlencode($HTTP_SERVER_VARS["REQUEST_URI"]);
+    header($redir);
+    exit();
+}
+
 ?>

trunk/wp-admin/profile.php

@@ -76 +76 @@
             die ("<strong>ERROR</strong>: you typed two different passwords. Go back to correct that.");
         $newuser_pass = $HTTP_POST_VARS["pass1"];
-        $updatepassword = "user_pass='$newuser_pass', ";
+        $updatepassword = "user_pass=MD5('$newuser_pass'), ";
         setcookie("wordpresspass_".$cookiehash,md5($newuser_pass),time()+31536000);
     }
@@ -345 +345 @@
 
 /* </Profile | My Profile> */
-include('admin-footer.php') ?>
+include('admin-footer.php');
+ ?>

trunk/wp-admin/upgrade-functions.php

@@ -680 +680 @@
     maybe_add_column($tableusers, 'user_status', "ALTER TABLE `$tableusers` ADD `user_status` INT DEFAULT '0' NOT NULL ;");
     $wpdb->query("ALTER TABLE `$tableposts` CHANGE `comment_status` `comment_status` ENUM( 'open', 'closed', 'registered_only' ) DEFAULT 'open' NOT NULL");
-    
+
+    // Convert passwords to MD5 and update table appropiately
+    $query = 'DESCRIBE wp_users user_pass';
+    $res = $wpdb->get_results($query);
+    if ($res[0]['Type'] != 'varchar(32)') {
+        $wpdb->query('ALTER TABLE wp_users MODIFY user_pass varchar(64) not null');
+    }
+    
+    $query = 'SELECT ID, user_pass from wp_users';
+    foreach ($wpdb->get_results($query) as $row) {
+        if (!preg_match('/^[A-Fa-f0-9]{32}$/', $row->user_pass)) {
+               $wpdb->query('UPDATE wp_users SET user_pass = MD5(\''.$row->user_pass.'\') WHERE ID = \''.$row->ID.'\'');
+        }
+    }
 }
 

trunk/wp-admin/users.php

@@ -74 +74 @@
         (user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode, user_firstname, user_lastname)
     VALUES 
-        ('$user_login', '$pass1', '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')");
+        ('$user_login', MD5('$pass1'), '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')");
     
     if ($result == false) {

trunk/wp-login.php

@@ -60 +60 @@
 
     if(!empty($HTTP_POST_VARS)) {
-        $log = $HTTP_POST_VARS["log"];
-        $pwd = $HTTP_POST_VARS["pwd"];
-        $redirect_to = $HTTP_POST_VARS["redirect_to"];
+        $log = $HTTP_POST_VARS['log'];
+        $pwd = $HTTP_POST_VARS['pwd'];
+        $redirect_to = $HTTP_POST_VARS['redirect_to'];
     }
     
@@ -75 +75 @@
         global $tableusers, $pass_is_md5;
         $user_login = &$log;
+        $pwd = md5($pwd);
         $password = &$pwd;
         if (!$user_login) {
-            $error="<strong>ERROR</strong>: the login field is empty";
+            $error = '<strong>Error</strong>: the login field is empty.';
             return false;
         }
 
         if (!$password) {
-            $error="<strong>ERROR</strong>: the password field is empty";
-            return false;
-        }
-
-        if ('md5:' == substr($password, 0, 4)) {
-            $pass_is_md5 = 1;
-            $password = substr($password, 4, strlen($password));
-            $query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND MD5(user_pass) = '$password'";
-        } else {
-            $pass_is_md5 = 0;
-            $query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND user_pass = '$password'";
-        }
+            $error = '<strong>Error</strong>: the password field is empty.';
+            return false;
+        }
+
+        $query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND user_pass = '$password'";
+    
         $login = $wpdb->get_row($query);
 
         if (!$login) {
-            $error = '<b>ERROR</b>: wrong login or password';
+            $error = '<strong>Error</strong>: wrong login or password.';
             $pwd = '';
             return false;
         } else {
         $user_ID = $login->ID;
-            if (($pass_is_md5 == 0 && $login->user_login == $user_login && $login->user_pass == $password) || ($pass_is_md5 == 1 && $login->user_login == $user_login && md5($login->user_pass) == $password)) {
+            if (($pass_is_md5 == 0 && $login->user_login == $user_login && $login->user_pass == $password) || ($pass_is_md5 == 1 && $login->user_login == $user_login && $login->user_pass == md5($password))) {
                 return true;
             } else {
-                $error = '<b>ERROR</b>: wrong login or password';
+                $error = '<strong>Error</strong>: wrong login or password.';
                 $pwd = '';
             return false;
@@ -127 +122 @@
         $user_pass = $pwd;
         setcookie('wordpressuser_'.$cookiehash, $user_login, time()+31536000);
-        if ($pass_is_md5) {
-            setcookie('wordpresspass_'.$cookiehash, $user_pass, time()+31536000);
-        } else {
-            setcookie('wordpresspass_'.$cookiehash, md5($user_pass), time()+31536000);
-        }
+        setcookie('wordpresspass_'.$cookiehash, md5($user_pass), time()+31536000);
         if (empty($HTTP_COOKIE_VARS['wordpressblogid_'.$cookiehash])) {
             setcookie('wordpressblogid_'.$cookiehash, 1,time()+31536000);
@@ -228 +219 @@
         echo "<p>The email was sent successfully to $user_login's email address.<br />
         <a href='wp-login.php' title='Check your email first, of course'>Click here to login!</a></p>";
+        // send a copy of password change notification to the admin
+        mail($admin_email, "[$blogname] Password Lost/Change", "Password Lost and Changed for user: $user_login");
         die();
     }

trunk/wp-register.php

@@ -93 +93 @@
         (user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode)
     VALUES 
-        ('$user_login', '$pass1', '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname')");
+        ('$user_login', MD5('$pass1'), '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname')");
     
     if ($result == false) {