mirror of
https://github.com/vichan-devel/vichan.git
synced 2024-11-24 07:30:10 +01:00
ease the migration process for the previous security patch (by introducing another migration); restore php 5.4 compatibility (introducing a polyfill system)
This commit is contained in:
czaks
parent
2caad90755
commit
7c3126866c
@ -18,6 +18,8 @@ require_once 'inc/template.php';
|
|||||||
require_once 'inc/database.php';
|
require_once 'inc/database.php';
|
||||||
require_once 'inc/events.php';
|
require_once 'inc/events.php';
|
||||||
require_once 'inc/api.php';
|
require_once 'inc/api.php';
|
||||||
|
require_once 'inc/polyfill.php';
|
||||||
|
|
||||||
if (!extension_loaded('gettext')) {
|
if (!extension_loaded('gettext')) {
|
||||||
require_once 'inc/lib/gettext/gettext.inc';
|
require_once 'inc/lib/gettext/gettext.inc';
|
||||||
}
|
}
|
||||||
|
|||||||
@ -76,20 +76,20 @@ function generate_salt() {
|
|||||||
function login($username, $password) {
|
function login($username, $password) {
|
||||||
global $mod, $config;
|
global $mod, $config;
|
||||||
|
|
||||||
$query = prepare("SELECT `id`, `type`, `boards`, `password`, `salt` FROM ``mods`` WHERE `username` = :username");
|
$query = prepare("SELECT `id`, `type`, `boards`, `password`, `version` FROM ``mods`` WHERE `username` = :username");
|
||||||
$query->bindValue(':username', $username);
|
$query->bindValue(':username', $username);
|
||||||
$query->execute() or error(db_error($query));
|
$query->execute() or error(db_error($query));
|
||||||
|
|
||||||
if ($user = $query->fetch(PDO::FETCH_ASSOC)) {
|
if ($user = $query->fetch(PDO::FETCH_ASSOC)) {
|
||||||
list($version, $ok) = test_password($user['password'], $user['salt'], $password);
|
list($version, $ok) = test_password($user['password'], $user['version'], $password);
|
||||||
|
|
||||||
if ($ok) {
|
if ($ok) {
|
||||||
if ($config['password_crypt_version'] > $version) {
|
if ($config['password_crypt_version'] > $version) {
|
||||||
// It's time to upgrade the password hashing method!
|
// It's time to upgrade the password hashing method!
|
||||||
list ($user['salt'], $user['password']) = crypt_password($password);
|
list ($user['version'], $user['password']) = crypt_password($password);
|
||||||
$query = prepare("UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id");
|
$query = prepare("UPDATE ``mods`` SET `password` = :password, `version` = :version WHERE `id` = :id");
|
||||||
$query->bindValue(':password', $user['password']);
|
$query->bindValue(':password', $user['password']);
|
||||||
$query->bindValue(':salt', $user['salt']);
|
$query->bindValue(':version', $user['version']);
|
||||||
$query->bindValue(':id', $user['id']);
|
$query->bindValue(':id', $user['id']);
|
||||||
$query->execute() or error(db_error($query));
|
$query->execute() or error(db_error($query));
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1734,12 +1734,12 @@ function mod_user($uid) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($_POST['password'] != '') {
|
if ($_POST['password'] != '') {
|
||||||
list($salt, $password) = crypt_password($_POST['password']);
|
list($version, $password) = crypt_password($_POST['password']);
|
||||||
|
|
||||||
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
|
$query = prepare('UPDATE ``mods`` SET `password` = :password, `version` = :version WHERE `id` = :id');
|
||||||
$query->bindValue(':id', $uid);
|
$query->bindValue(':id', $uid);
|
||||||
$query->bindValue(':password', $password);
|
$query->bindValue(':password', $password);
|
||||||
$query->bindValue(':salt', $salt);
|
$query->bindValue(':version', $version);
|
||||||
$query->execute() or error(db_error($query));
|
$query->execute() or error(db_error($query));
|
||||||
|
|
||||||
modLog('Changed password for ' . utf8tohtml($_POST['username']) . ' <small>(#' . $user['id'] . ')</small>');
|
modLog('Changed password for ' . utf8tohtml($_POST['username']) . ' <small>(#' . $user['id'] . ')</small>');
|
||||||
@ -1760,12 +1760,12 @@ function mod_user($uid) {
|
|||||||
|
|
||||||
if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) {
|
if (hasPermission($config['mod']['change_password']) && $uid == $mod['id'] && isset($_POST['password'])) {
|
||||||
if ($_POST['password'] != '') {
|
if ($_POST['password'] != '') {
|
||||||
list($salt, $password) = crypt_password($_POST['password']);
|
list($version, $password) = crypt_password($_POST['password']);
|
||||||
|
|
||||||
$query = prepare('UPDATE ``mods`` SET `password` = :password, `salt` = :salt WHERE `id` = :id');
|
$query = prepare('UPDATE ``mods`` SET `password` = :password, `version` = :version WHERE `id` = :id');
|
||||||
$query->bindValue(':id', $uid);
|
$query->bindValue(':id', $uid);
|
||||||
$query->bindValue(':password', $password);
|
$query->bindValue(':password', $password);
|
||||||
$query->bindValue(':salt', $salt);
|
$query->bindValue(':version', $version);
|
||||||
$query->execute() or error(db_error($query));
|
$query->execute() or error(db_error($query));
|
||||||
|
|
||||||
modLog('Changed own password');
|
modLog('Changed own password');
|
||||||
@ -1832,12 +1832,12 @@ function mod_user_new() {
|
|||||||
if (!isset($config['mod']['groups'][$type]) || $type == DISABLED)
|
if (!isset($config['mod']['groups'][$type]) || $type == DISABLED)
|
||||||
error(sprintf($config['error']['invalidfield'], 'type'));
|
error(sprintf($config['error']['invalidfield'], 'type'));
|
||||||
|
|
||||||
list($salt, $password) = crypt_password($_POST['password']);
|
list($version, $password) = crypt_password($_POST['password']);
|
||||||
|
|
||||||
$query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :salt, :type, :boards)');
|
$query = prepare('INSERT INTO ``mods`` VALUES (NULL, :username, :password, :version, :type, :boards)');
|
||||||
$query->bindValue(':username', $_POST['username']);
|
$query->bindValue(':username', $_POST['username']);
|
||||||
$query->bindValue(':password', $password);
|
$query->bindValue(':password', $password);
|
||||||
$query->bindValue(':salt', $salt);
|
$query->bindValue(':version', $version);
|
||||||
$query->bindValue(':type', $type);
|
$query->bindValue(':type', $type);
|
||||||
$query->bindValue(':boards', implode(',', $boards));
|
$query->bindValue(':boards', implode(',', $boards));
|
||||||
$query->execute() or error(db_error($query));
|
$query->execute() or error(db_error($query));
|
||||||
|
|||||||
28
inc/polyfill.php
Normal file
28
inc/polyfill.php
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
// PHP 5.4
|
||||||
|
|
||||||
|
if (!function_exists('hex2bin')) {
|
||||||
|
function hex2bin($data) {
|
||||||
|
return pack("H*" , $hex_string);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// PHP 5.6
|
||||||
|
|
||||||
|
if (!function_exists('hash_equals')) {
|
||||||
|
function hash_equals($ours, $theirs) {
|
||||||
|
$ours = (string)$ours;
|
||||||
|
$theirs = (string)$theirs;
|
||||||
|
|
||||||
|
$tlen = strlen($theirs);
|
||||||
|
$olen = strlen($ours);
|
||||||
|
|
||||||
|
$answer = 0;
|
||||||
|
for ($i = 0; $i < $tlen; $i++) {
|
||||||
|
$answer |= ord($ours[$olen > $i ? $i : 0]) ^ ord($theirs[$i]);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $answer === 0 && $olen === $tlen;
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -1,7 +1,7 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
// Installation/upgrade file
|
// Installation/upgrade file
|
||||||
define('VERSION', '5.0.0');
|
define('VERSION', '5.0.1');
|
||||||
|
|
||||||
require 'inc/functions.php';
|
require 'inc/functions.php';
|
||||||
|
|
||||||
@ -556,6 +556,8 @@ if (file_exists($config['has_installed'])) {
|
|||||||
case '4.9.93':
|
case '4.9.93':
|
||||||
query('ALTER TABLE ``mods`` CHANGE `password` `password` VARCHAR(255) NOT NULL;') or error(db_error());
|
query('ALTER TABLE ``mods`` CHANGE `password` `password` VARCHAR(255) NOT NULL;') or error(db_error());
|
||||||
query('ALTER TABLE ``mods`` CHANGE `salt` `salt` VARCHAR(64) NOT NULL;') or error(db_error());
|
query('ALTER TABLE ``mods`` CHANGE `salt` `salt` VARCHAR(64) NOT NULL;') or error(db_error());
|
||||||
|
case '5.0.0':
|
||||||
|
query('ALTER TABLE ``mods`` CHANGE `salt` `version` VARCHAR(64) NOT NULL;') or error(db_error());
|
||||||
case false:
|
case false:
|
||||||
// TODO: enhance Tinyboard -> vichan upgrade path.
|
// TODO: enhance Tinyboard -> vichan upgrade path.
|
||||||
query("CREATE TABLE IF NOT EXISTS ``search_queries`` ( `ip` varchar(39) NOT NULL, `time` int(11) NOT NULL, `query` text NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;") or error(db_error());
|
query("CREATE TABLE IF NOT EXISTS ``search_queries`` ( `ip` varchar(39) NOT NULL, `time` int(11) NOT NULL, `query` text NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;") or error(db_error());
|
||||||
|
|||||||
@ -132,7 +132,7 @@ CREATE TABLE IF NOT EXISTS `mods` (
|
|||||||
`id` smallint(6) unsigned NOT NULL AUTO_INCREMENT,
|
`id` smallint(6) unsigned NOT NULL AUTO_INCREMENT,
|
||||||
`username` varchar(30) NOT NULL,
|
`username` varchar(30) NOT NULL,
|
||||||
`password` varchar(256) CHARACTER SET ascii NOT NULL COMMENT 'SHA256',
|
`password` varchar(256) CHARACTER SET ascii NOT NULL COMMENT 'SHA256',
|
||||||
`salt` varchar(64) CHARACTER SET ascii NOT NULL,
|
`version` varchar(64) CHARACTER SET ascii NOT NULL,
|
||||||
`type` smallint(2) NOT NULL,
|
`type` smallint(2) NOT NULL,
|
||||||
`boards` text CHARACTER SET utf8 NOT NULL,
|
`boards` text CHARACTER SET utf8 NOT NULL,
|
||||||
PRIMARY KEY (`id`),
|
PRIMARY KEY (`id`),
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user