Make WordPress Core

Changeset 850


Ignore:
Timestamp:
02/09/2004 09:56:57 AM (21 years ago)
Author:
saxmatt
Message:

MD5 passwords, including code from Robert Hartman and John Gray.

Location:
trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/auth.php

    r601 r850  
    33require_once('../wp-config.php');
    44
    5 /* checking login & pass in the database */
     5/* Checking login & pass in the database */
    66function veriflog() {
    77    global $HTTP_COOKIE_VARS,$cookiehash;
     
    3232    }
    3333}
    34 //if ( $user_login!="" && $user_pass!="" && $id_session!="" && $adresse_ip==$REMOTE_ADDR) {
    35 //  if ( !(veriflog()) AND !(verifcookielog()) ) {
    36     if (!(veriflog())) {
    37         header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');
    38         header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
    39         header('Cache-Control: no-cache, must-revalidate');
    40         header('Pragma: no-cache');
    41         if (!empty($HTTP_COOKIE_VARS["wordpressuser_".$cookiehash])) {
    42             $error="<strong>Error</strong>: wrong login or password";
    43         }
    44         $redir = "Location: $siteurl/wp-login.php?redirect_to=" . urlencode($HTTP_SERVER_VARS["REQUEST_URI"]);
    45         header($redir);
    46         exit();
     34
     35if ( !veriflog() ) {
     36    header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');
     37    header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
     38    header('Cache-Control: no-cache, must-revalidate');
     39    header('Pragma: no-cache');
     40    if (!empty($HTTP_COOKIE_VARS["wordpressuser_".$cookiehash])) {
     41        $error="<strong>Error</strong>: wrong login or password.";
    4742    }
    48 //}
     43    $redir = "Location: $siteurl/wp-login.php?redirect_to=" . urlencode($HTTP_SERVER_VARS["REQUEST_URI"]);
     44    header($redir);
     45    exit();
     46}
     47
    4948?>
  • trunk/wp-admin/profile.php

    r818 r850  
    7676            die ("<strong>ERROR</strong>: you typed two different passwords. Go back to correct that.");
    7777        $newuser_pass = $HTTP_POST_VARS["pass1"];
    78         $updatepassword = "user_pass='$newuser_pass', ";
     78        $updatepassword = "user_pass=MD5('$newuser_pass'), ";
    7979        setcookie("wordpresspass_".$cookiehash,md5($newuser_pass),time()+31536000);
    8080    }
     
    345345
    346346/* </Profile | My Profile> */
    347 include('admin-footer.php') ?>
     347include('admin-footer.php');
     348 ?>
  • trunk/wp-admin/upgrade-functions.php

    r821 r850  
    680680    maybe_add_column($tableusers, 'user_status', "ALTER TABLE `$tableusers` ADD `user_status` INT DEFAULT '0' NOT NULL ;");
    681681    $wpdb->query("ALTER TABLE `$tableposts` CHANGE `comment_status` `comment_status` ENUM( 'open', 'closed', 'registered_only' ) DEFAULT 'open' NOT NULL");
    682    
     682
     683    // Convert passwords to MD5 and update table appropiately
     684    $query = 'DESCRIBE wp_users user_pass';
     685    $res = $wpdb->get_results($query);
     686    if ($res[0]['Type'] != 'varchar(32)') {
     687        $wpdb->query('ALTER TABLE wp_users MODIFY user_pass varchar(64) not null');
     688    }
     689   
     690    $query = 'SELECT ID, user_pass from wp_users';
     691    foreach ($wpdb->get_results($query) as $row) {
     692        if (!preg_match('/^[A-Fa-f0-9]{32}$/', $row->user_pass)) {
     693               $wpdb->query('UPDATE wp_users SET user_pass = MD5(\''.$row->user_pass.'\') WHERE ID = \''.$row->ID.'\'');
     694        }
     695    }
    683696}
    684697
  • trunk/wp-admin/users.php

    r783 r850  
    7474        (user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode, user_firstname, user_lastname)
    7575    VALUES
    76         ('$user_login', '$pass1', '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')");
     76        ('$user_login', MD5('$pass1'), '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')");
    7777   
    7878    if ($result == false) {
  • trunk/wp-login.php

    r820 r850  
    6060
    6161    if(!empty($HTTP_POST_VARS)) {
    62         $log = $HTTP_POST_VARS["log"];
    63         $pwd = $HTTP_POST_VARS["pwd"];
    64         $redirect_to = $HTTP_POST_VARS["redirect_to"];
     62        $log = $HTTP_POST_VARS['log'];
     63        $pwd = $HTTP_POST_VARS['pwd'];
     64        $redirect_to = $HTTP_POST_VARS['redirect_to'];
    6565    }
    6666   
     
    7575        global $tableusers, $pass_is_md5;
    7676        $user_login = &$log;
     77        $pwd = md5($pwd);
    7778        $password = &$pwd;
    7879        if (!$user_login) {
    79             $error="<strong>ERROR</strong>: the login field is empty";
     80            $error = '<strong>Error</strong>: the login field is empty.';
    8081            return false;
    8182        }
    8283
    8384        if (!$password) {
    84             $error="<strong>ERROR</strong>: the password field is empty";
    85             return false;
    86         }
    87 
    88         if ('md5:' == substr($password, 0, 4)) {
    89             $pass_is_md5 = 1;
    90             $password = substr($password, 4, strlen($password));
    91             $query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND MD5(user_pass) = '$password'";
    92         } else {
    93             $pass_is_md5 = 0;
    94             $query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND user_pass = '$password'";
    95         }
     85            $error = '<strong>Error</strong>: the password field is empty.';
     86            return false;
     87        }
     88
     89        $query = "SELECT ID, user_login, user_pass FROM $tableusers WHERE user_login = '$user_login' AND user_pass = '$password'";
     90   
    9691        $login = $wpdb->get_row($query);
    9792
    9893        if (!$login) {
    99             $error = '<b>ERROR</b>: wrong login or password';
     94            $error = '<strong>Error</strong>: wrong login or password.';
    10095            $pwd = '';
    10196            return false;
    10297        } else {
    10398        $user_ID = $login->ID;
    104             if (($pass_is_md5 == 0 && $login->user_login == $user_login && $login->user_pass == $password) || ($pass_is_md5 == 1 && $login->user_login == $user_login && md5($login->user_pass) == $password)) {
     99            if (($pass_is_md5 == 0 && $login->user_login == $user_login && $login->user_pass == $password) || ($pass_is_md5 == 1 && $login->user_login == $user_login && $login->user_pass == md5($password))) {
    105100                return true;
    106101            } else {
    107                 $error = '<b>ERROR</b>: wrong login or password';
     102                $error = '<strong>Error</strong>: wrong login or password.';
    108103                $pwd = '';
    109104            return false;
     
    127122        $user_pass = $pwd;
    128123        setcookie('wordpressuser_'.$cookiehash, $user_login, time()+31536000);
    129         if ($pass_is_md5) {
    130             setcookie('wordpresspass_'.$cookiehash, $user_pass, time()+31536000);
    131         } else {
    132             setcookie('wordpresspass_'.$cookiehash, md5($user_pass), time()+31536000);
    133         }
     124        setcookie('wordpresspass_'.$cookiehash, md5($user_pass), time()+31536000);
    134125        if (empty($HTTP_COOKIE_VARS['wordpressblogid_'.$cookiehash])) {
    135126            setcookie('wordpressblogid_'.$cookiehash, 1,time()+31536000);
     
    228219        echo "<p>The email was sent successfully to $user_login's email address.<br />
    229220        <a href='wp-login.php' title='Check your email first, of course'>Click here to login!</a></p>";
     221        // send a copy of password change notification to the admin
     222        mail($admin_email, "[$blogname] Password Lost/Change", "Password Lost and Changed for user: $user_login");
    230223        die();
    231224    }
  • trunk/wp-register.php

    r642 r850  
    9393        (user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode)
    9494    VALUES
    95         ('$user_login', '$pass1', '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname')");
     95        ('$user_login', MD5('$pass1'), '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname')");
    9696   
    9797    if ($result == false) {
Note: See TracChangeset for help on using the changeset viewer.