diff --git a/lam/lib/config.inc b/lam/lib/config.inc index a03ba3d3..21a2324d 100644 --- a/lam/lib/config.inc +++ b/lam/lib/config.inc @@ -170,7 +170,7 @@ class LAMConfig { var $Admins; /** Password to edit preferences */ - var $Passwd; + private $Passwd; /** LDAP suffix for tree view */ var $treesuffix; @@ -846,7 +846,7 @@ class LAMCfgMain { public $default; /** Password to change config.cfg */ - public $password; + private $password; /** Time of inactivity before session times out (minutes) */ public $sessionTimeout; @@ -952,6 +952,50 @@ class LAMCfgMain { exit; } } + + /** + * Sets a new config password. + * + * @param String $password new password + */ + public function setPassword($password) { + mt_srand((microtime() * 1000000)); + $rand = mt_rand(); + $salt0 = substr(pack("h*", md5($rand)), 0, 8); + $salt = substr(pack("H*", sha1($salt0 . $password)), 0, 4); + $this->password = $this->hashPassword($password, $salt); + } + + /** + * Checks if the given password matches. + * + * @param String $password password + * @return boolean true, if password matches + */ + public function checkPassword($password) { + if (substr($this->password, 0, 6) == "{SSHA}") { + // check hashed password + $value = substr($this->password, 6); + $parts = explode(" ", $value); + $salt = base64_decode($parts[1]); + return ($this->hashPassword($password, $salt) === $this->password); + } + else { + // old nonhashed password + return ($password === $this->password); + } + } + + /** + * Returns the hashed password. + * + * @param String $password password + * @param String $salt salt + * @return String hash value + */ + private function hashPassword($password, $salt) { + return "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt))) . " " . base64_encode($salt); + } } diff --git a/lam/templates/config/mainlogin.php b/lam/templates/config/mainlogin.php index 9ced5c15..b120b71f 100644 --- a/lam/templates/config/mainlogin.php +++ b/lam/templates/config/mainlogin.php @@ -47,7 +47,7 @@ if (isset($_SESSION["mainconf_password"])) unset($_SESSION["mainconf_password"]) // check if user entered a password if (isset($_POST['passwd'])) { $cfgMain = new LAMCfgMain(); - if (isset($_POST['passwd']) && ($_POST['passwd'] == $cfgMain->password)) { + if (isset($_POST['passwd']) && ($cfgMain->checkPassword($_POST['passwd']))) { $_SESSION["mainconf_password"] = $_POST['passwd']; metaRefresh("mainmanage.php"); exit(); diff --git a/lam/templates/config/mainmanage.php b/lam/templates/config/mainmanage.php index 2919a6d9..ceb9ddc6 100644 --- a/lam/templates/config/mainmanage.php +++ b/lam/templates/config/mainmanage.php @@ -44,7 +44,7 @@ setlanguage(); $cfg = new LAMCfgMain(); // check if user is logged in -if (!isset($_SESSION["mainconf_password"]) || ($_SESSION["mainconf_password"] != $cfg->password)) { +if (!isset($_SESSION["mainconf_password"]) || (!$cfg->checkPassword($_SESSION["mainconf_password"]))) { require('mainlogin.php'); exit(); } @@ -81,7 +81,7 @@ if ($_POST['submit']) { // set master password if (isset($_POST['masterpassword']) && ($_POST['masterpassword'] != "")) { if ($_POST['masterpassword'] && $_POST['masterpassword2'] && ($_POST['masterpassword'] == $_POST['masterpassword2'])) { - $cfg->password = $_POST['masterpassword']; + $cfg->setPassword($_POST['masterpassword']); $msg = _("New master password set successfully."); unset($_SESSION["mainconf_password"]); } diff --git a/lam/templates/config/profmanage.php b/lam/templates/config/profmanage.php index 0351f056..4f81f3a4 100644 --- a/lam/templates/config/profmanage.php +++ b/lam/templates/config/profmanage.php @@ -64,7 +64,7 @@ $cfg = new LAMCfgMain(); // check if submit button was pressed if ($_POST['submit']) { // check master password - if ($cfg->password != $_POST['passwd']) { + if (!$cfg->checkPassword($_POST['passwd'])) { $error = _("Master password is wrong!"); } // add new profile @@ -134,7 +134,7 @@ if ($_POST['submit']) { // check if config.cfg is valid -if (!isset($cfg->default) && !isset($cfg->password)) { +if (!isset($cfg->default)) { StatusMessage("ERROR", _("Please set up your master configuration file (config/config.cfg) first!"), ""); echo "\n\n"; die(); diff --git a/lam/tests/conf-main-test.php b/lam/tests/conf-main-test.php index 9e246f98..3e6666db 100644 --- a/lam/tests/conf-main-test.php +++ b/lam/tests/conf-main-test.php @@ -35,36 +35,34 @@ include ("../lib/config.inc"); $conf = new LAMCfgMain(); echo ""; echo (" Current Values

"); -echo "Password: " . $conf->password . "
\n"; echo "Default: " . $conf->default . "
\n"; echo ("

Starting Test...

"); // now all prferences are loaded echo ("Loading preferences..."); -$password = $conf->password; +$password = 'lam'; $default = $conf->default; echo ("done
"); // next we modify them and save config.cfg echo ("Changing preferences..."); -$conf->password = "123456"; +$conf->setPassword("123456"); $conf->default = "lam"; $conf->save(); echo ("done
"); // at last all preferences are read from config.cfg and compared echo ("Loading and comparing..."); $conf = new LAMCfgMain(); -if ($conf->password != "123456") echo ("
Saving password failed!
"); +if (!$conf->checkPassword("123456")) echo ("
Saving password failed!
"); if ($conf->default != "lam") echo ("
Saving Default failed!
"); echo ("done
"); // restore old values echo ("Restoring old preferences..."); -$conf->password = $password; +$conf->setPassword($password); $conf->default = $default; $conf->save(); echo ("done
"); // finished echo ("
Test is complete."); echo ("

Current Config

"); -echo "Password: " . $conf->password . "
\n"; echo "Default: " . $conf->default . "
\n"; ?>