summaryrefslogtreecommitdiff
path: root/app/User.php
diff options
context:
space:
mode:
authorGreg Roach <fisharebest@gmail.com>2016-06-06 22:30:18 +0100
committerGreg Roach <fisharebest@gmail.com>2016-06-06 22:46:15 +0100
commit311729a43527b9581cc78de82d482360d1124273 (patch)
treefe7e032b5d5b402961a051efed3cdfdd1450fbe0 /app/User.php
parent76a701504b363fbd4094b1e5d6ee6742bd1385ff (diff)
downloadwebtrees-311729a43527b9581cc78de82d482360d1124273.tar.gz
webtrees-311729a43527b9581cc78de82d482360d1124273.tar.bz2
webtrees-311729a43527b9581cc78de82d482360d1124273.zip
Password hashing for PHP < 5.3.7
Diffstat (limited to 'app/User.php')
-rw-r--r--app/User.php58
1 files changed, 54 insertions, 4 deletions
diff --git a/app/User.php b/app/User.php
index 1e23c96956..1ca1debdd8 100644
--- a/app/User.php
+++ b/app/User.php
@@ -164,7 +164,7 @@ class User {
'user_name' => $user_name,
'real_name' => $real_name,
'email' => $email,
- 'password' => password_hash($password, PASSWORD_DEFAULT),
+ 'password' => self::passwordHash($password),
));
// Set default blocks for this user
@@ -318,8 +318,8 @@ class User {
"SELECT password FROM `##user` WHERE user_id = ?"
)->execute(array($this->user_id))->fetchOne();
- if (password_verify($password, $password_hash)) {
- if (password_needs_rehash($password_hash, PASSWORD_DEFAULT)) {
+ if ($this->passwordVerify($password, $password_hash)) {
+ if ($this->passwordNeedsRehash($password_hash)) {
$this->setPassword($password);
}
@@ -438,7 +438,7 @@ class User {
public function setPassword($password) {
Database::prepare(
"UPDATE `##user` SET password = ? WHERE user_id = ?"
- )->execute(array(password_hash($password, PASSWORD_DEFAULT), $this->user_id));
+ )->execute(array($this->passwordHash($password), $this->user_id));
return $this;
}
@@ -507,4 +507,54 @@ class User {
return $this;
}
+
+ /**
+ * The ircmaxell/password_compat implementation of the password_hash() function
+ * relies on an encryption library which is not secure in PHP < 5.3.7
+ *
+ * @return boolean
+ */
+ private static function isPhpCryptBroken() {
+ return PHP_VERSION_ID < 50307 && password_hash('foo', PASSWORD_DEFAULT) === false;
+ }
+
+ /**
+ * @param string $password
+ *
+ * @return string
+ */
+ private static function passwordHash($password) {
+ if (self::isPhpCryptBroken()) {
+ return crypt($password);
+ } else {
+ return password_hash($password, PASSWORD_DEFAULT);
+ }
+ }
+
+ /**
+ * @param string $hash
+ *
+ * @return bool
+ */
+ private static function passwordNeedsRehash($hash) {
+ if (self::isPhpCryptBroken()) {
+ return false;
+ } else {
+ return password_needs_rehash($hash, PASSWORD_DEFAULT);
+ }
+ }
+
+ /**
+ * @param string $password
+ * @param string $hash
+ *
+ * @return bool
+ */
+ private static function passwordVerify($password, $hash) {
+ if (self::isPhpCryptBroken()) {
+ return crypt($password, $hash) === $hash;
+ } else {
+ return password_verify($password, $hash);
+ }
+ }
}