WordPress.org

Make WordPress Core

Changeset 850


Ignore:
Timestamp:
02/09/04 09:56:57 (10 years ago)
Author:
saxmatt
Message:

MD5 passwords, including code from Robert Hartman and John Gray.

Location:
trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/auth.php

    r601 r850  
    33require_once('../wp-config.php'); 
    44 
    5 /* checking login & pass in the database */ 
     5/* Checking login & pass in the database */ 
    66function veriflog() { 
    77    global $HTTP_COOKIE_VARS,$cookiehash; 
     
    3232    } 
    3333} 
    34 //if ( $user_login!="" && $user_pass!="" && $id_session!="" && $adresse_ip==$REMOTE_ADDR) { 
    35 //  if ( !(veriflog()) AND !(verifcookielog()) ) { 
    36     if (!(veriflog())) { 
    37         header('Expires: Wed, 11 Jan 1984 05:00:00 GMT'); 
    38         header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); 
    39         header('Cache-Control: no-cache, must-revalidate'); 
    40         header('Pragma: no-cache'); 
    41         if (!empty($HTTP_COOKIE_VARS["wordpressuser_".$cookiehash])) { 
    42             $error="<strong>Error</strong>: wrong login or password"; 
    43         } 
    44         $redir = "Location: $siteurl/wp-login.php?redirect_to=" . urlencode($HTTP_SERVER_VARS["REQUEST_URI"]); 
    45         header($redir); 
    46         exit(); 
     34 
     35if ( !veriflog() ) { 
     36    header('Expires: Wed, 11 Jan 1984 05:00:00 GMT'); 
     37    header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); 
     38    header('Cache-Control: no-cache, must-revalidate'); 
     39    header('Pragma: no-cache'); 
     40    if (!empty($HTTP_COOKIE_VARS["wordpressuser_".$cookiehash])) { 
     41        $error="<strong>Error</strong>: wrong login or password."; 
    4742    } 
    48 //} 
     43    $redir = "Location: $siteurl/wp-login.php?redirect_to=" . urlencode($HTTP_SERVER_VARS["REQUEST_URI"]); 
     44    header($redir); 
     45    exit(); 
     46} 
     47 
    4948?> 
  • trunk/wp-admin/profile.php

    r818 r850  
    7676            die ("<strong>ERROR</strong>: you typed two different passwords. Go back to correct that."); 
    7777        $newuser_pass = $HTTP_POST_VARS["pass1"]; 
    78         $updatepassword = "user_pass='$newuser_pass', "; 
     78        $updatepassword = "user_pass=MD5('$newuser_pass'), "; 
    7979        setcookie("wordpresspass_".$cookiehash,md5($newuser_pass),time()+31536000); 
    8080    } 
     
    345345 
    346346/* </Profile | My Profile> */ 
    347 include('admin-footer.php') ?> 
     347include('admin-footer.php'); 
     348 ?> 
  • trunk/wp-admin/upgrade-functions.php

    r821 r850  
    680680    maybe_add_column($tableusers, 'user_status', "ALTER TABLE `$tableusers` ADD `user_status` INT DEFAULT '0' NOT NULL ;"); 
    681681    $wpdb->query("ALTER TABLE `$tableposts` CHANGE `comment_status` `comment_status` ENUM( 'open', 'closed', 'registered_only' ) DEFAULT 'open' NOT NULL"); 
    682      
     682 
     683    // Convert passwords to MD5 and update table appropiately 
     684    $query = 'DESCRIBE wp_users user_pass'; 
     685    $res = $wpdb->get_results($query); 
     686    if ($res[0]['Type'] != 'varchar(32)') { 
     687        $wpdb->query('ALTER TABLE wp_users MODIFY user_pass varchar(64) not null'); 
     688    } 
     689     
     690    $query = 'SELECT ID, user_pass from wp_users'; 
     691    foreach ($wpdb->get_results($query) as $row) { 
     692        if (!preg_match('/^[A-Fa-f0-9]{32}$/', $row->user_pass)) { 
     693               $wpdb->query('UPDATE wp_users SET user_pass = MD5(\''.$row->user_pass.'\') WHERE ID = \''.$row->ID.'\''); 
     694        } 
     695    } 
    683696} 
    684697 
  • trunk/wp-admin/users.php

    r783 r850  
    7474        (user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode, user_firstname, user_lastname) 
    7575    VALUES  
    76         ('$user_login', '$pass1', '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')"); 
     76        ('$user_login', MD5('$pass1'), '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')"); 
    7777     
    7878    if ($result == false) { 
  • trunk/wp-login.php

    r820 r850  
    6060 
    6161    if(!empty($HTTP_POST_VARS)) { 
    62         $log = $HTTP_POST_VARS["log"]; 
    63         $pwd = $HTTP_POST_VARS["pwd"]; 
    64         $redirect_to = $HTTP_POST_VARS["redirect_to"]; 
     62        $log = $HTTP_POST_VARS['log']; 
     63        $pwd = $HTTP_POST_VARS['pwd']; 
     64        $redirect_to = $HTTP_POST_VARS['redirect_to']; 
    6565    } 
    6666     
     
    7575        global $tableusers, $pass_is_md5; 
    7676        $user_login = &$log; 
     77        $pwd = md5($pwd); 
    7778        $password = &$pwd; 
    7879        if (!$user_login) { 
    79             $error="<strong>ERROR</strong>: the login field is empty"; 
     80            $error = '<strong>Error</strong>: the login field is empty.'; 
    8081            return false; 
    8182        } 
    8283 
    8384        if (!$password) { 
    84             $error="<strong>ERROR</strong>: the password field is empty"; 
    85             return false; 
    86         } 
    87  
    88         if ('md5:' == substr($password, 0, 4)) { 
    89             $pass_is_md5 = 1; 
    90             $password = substr($password, 4, strlen($password)); 
    91             $query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND MD5(user_pass) = '$password'"; 
    92         } else { 
    93             $pass_is_md5 = 0; 
    94             $query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND user_pass = '$password'"; 
    95         } 
     85            $error = '<strong>Error</strong>: the password field is empty.'; 
     86            return false; 
     87        } 
     88 
     89        $query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND user_pass = '$password'"; 
     90     
    9691        $login = $wpdb->get_row($query); 
    9792 
    9893        if (!$login) { 
    99             $error = '<b>ERROR</b>: wrong login or password'; 
     94            $error = '<strong>Error</strong>: wrong login or password.'; 
    10095            $pwd = ''; 
    10196            return false; 
    10297        } else { 
    10398        $user_ID = $login->ID; 
    104             if (($pass_is_md5 == 0 && $login->user_login == $user_login && $login->user_pass == $password) || ($pass_is_md5 == 1 && $login->user_login == $user_login && md5($login->user_pass) == $password)) { 
     99            if (($pass_is_md5 == 0 && $login->user_login == $user_login && $login->user_pass == $password) || ($pass_is_md5 == 1 && $login->user_login == $user_login && $login->user_pass == md5($password))) { 
    105100                return true; 
    106101            } else { 
    107                 $error = '<b>ERROR</b>: wrong login or password'; 
     102                $error = '<strong>Error</strong>: wrong login or password.'; 
    108103                $pwd = ''; 
    109104            return false; 
     
    127122        $user_pass = $pwd; 
    128123        setcookie('wordpressuser_'.$cookiehash, $user_login, time()+31536000); 
    129         if ($pass_is_md5) { 
    130             setcookie('wordpresspass_'.$cookiehash, $user_pass, time()+31536000); 
    131         } else { 
    132             setcookie('wordpresspass_'.$cookiehash, md5($user_pass), time()+31536000); 
    133         } 
     124        setcookie('wordpresspass_'.$cookiehash, md5($user_pass), time()+31536000); 
    134125        if (empty($HTTP_COOKIE_VARS['wordpressblogid_'.$cookiehash])) { 
    135126            setcookie('wordpressblogid_'.$cookiehash, 1,time()+31536000); 
     
    228219        echo "<p>The email was sent successfully to $user_login's email address.<br /> 
    229220        <a href='wp-login.php' title='Check your email first, of course'>Click here to login!</a></p>"; 
     221        // send a copy of password change notification to the admin 
     222        mail($admin_email, "[$blogname] Password Lost/Change", "Password Lost and Changed for user: $user_login"); 
    230223        die(); 
    231224    } 
  • trunk/wp-register.php

    r642 r850  
    9393        (user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode) 
    9494    VALUES  
    95         ('$user_login', '$pass1', '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname')"); 
     95        ('$user_login', MD5('$pass1'), '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname')"); 
    9696     
    9797    if ($result == false) { 
Note: See TracChangeset for help on using the changeset viewer.