Empty commit

This commit is contained in:
Git 2012-09-22 08:00:24 +00:00
parent 0d916b01d7
commit 44eae4c414
7 changed files with 95 additions and 20 deletions

View File

@ -54,6 +54,7 @@ if (!empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == 80) {
} }
// Site settings // Site settings
define('CRYPT_HASH_PREFIX', '$2y$07$'); // Crypt salt prefix for hash settings. See http://php.net/crypt for details
define('DEBUG_MODE', false); //Set to false if you dont want everyone to see debug information, can be overriden with 'site_debug' define('DEBUG_MODE', false); //Set to false if you dont want everyone to see debug information, can be overriden with 'site_debug'
define('OPEN_REGISTRATION', true); //Set to false to disable open regirstration, true to allow anyone to register define('OPEN_REGISTRATION', true); //Set to false to disable open regirstration, true to allow anyone to register
define('USER_LIMIT', 5000); //The maximum number of users the site can have, 0 for no limit define('USER_LIMIT', 5000); //The maximum number of users the site can have, 0 for no limit

View File

@ -16,7 +16,7 @@
if(isset($_REQUEST['info_hash']) && isset($_REQUEST['peer_id'])) { die('d14:failure reason40:Invalid .torrent, try downloading again.e'); } if(isset($_REQUEST['info_hash']) && isset($_REQUEST['peer_id'])) { die('d14:failure reason40:Invalid .torrent, try downloading again.e'); }
require(SERVER_ROOT.'/classes/class_proxies.php'); require(SERVER_ROOT.'/classes/class_proxies.php');
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) && proxyCheck($_SERVER['REMOTE_ADDR'])) { if (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) && proxyCheck($_SERVER['REMOTE_ADDR']) && filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
$_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR']; $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
} }
@ -1185,11 +1185,87 @@ function make_secret($Length = 32) {
} }
*/ */
// Password hashes, feel free to make your own algorithm here /**
* Create a password hash. This method is deprecated and
* should not be used to create new passwords
*
* @param $Str password
* @param $Secret salt
* @return password hash
*/
function make_hash($Str,$Secret) { function make_hash($Str,$Secret) {
return sha1(md5($Secret).$Str.sha1($Secret).SITE_SALT); return sha1(md5($Secret).$Str.sha1($Secret).SITE_SALT);
} }
/**
* Verify a password against a password hash
*
* @param $Password password
* @param $Hash password hash
* @param $Secret salt - Only used if the hash was created
* with the deprecated make_hash() method
* @return true on correct password
*/
function check_password($Password, $Hash, $Secret='') {
if(!$Password || !$Hash) {
return false;
}
if(is_crypt_hash($Hash)) {
return crypt($Password, $Hash) == $Hash;
} elseif($Secret) {
return make_hash($Password, $Secret) == $Hash;
}
return false;
}
/**
* Test if a given hash is a crypt hash
*
* @param $Hash password hash
* @return true if hash is a crypt hash
*/
function is_crypt_hash($Hash) {
return preg_match('/\$\d[axy]?\$/', substr($Hash, 0, 4));
}
/**
* Create salted crypt hash for a given string with
* settings specified in CRYPT_HASH_PREFIX
*
* @param $Str string to hash
* @return salted crypt hash
*/
function make_crypt_hash($Str) {
$Salt = CRYPT_HASH_PREFIX.gen_crypt_salt().'$';
return crypt($Str, $Salt);
}
/**
* Create salt string for eksblowfish hashing. If /dev/urandom cannot be read,
* fall back to an unsecure method based on mt_rand(). The last character needs
* a special case as it must be either '.', 'O', 'e', or 'u'.
*
* @return salt suitable for eksblowfish hashing
*/
function gen_crypt_salt() {
$Salt = '';
$Chars = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
$Numchars = strlen($Chars) - 1;
if($Handle = @fopen('/dev/urandom', 'r')) {
$Bytes = fread($Handle, 22);
for($i = 0; $i < 21; $i++) {
$Salt .= $Chars[ord($Bytes[$i]) & $Numchars];
}
$Salt[$i] = $Chars[(ord($Bytes[$i]) & 3) << 4];
} else {
for($i = 0; $i < 21; $i++) {
$Salt .= $Chars[mt_rand(0, $Numchars)];
}
$Salt[$i] = $Chars[mt_rand(0, 3) << 4];
}
return $Salt;
}
/* /*
Returns a username string for display Returns a username string for display
$Class and $Title can be omitted for an abbreviated version $Class and $Title can be omitted for an abbreviated version

View File

@ -53,12 +53,10 @@
$Err=$Validate->ValidateForm($_REQUEST); $Err=$Validate->ValidateForm($_REQUEST);
if ($Err=='') { if ($Err=='') {
// Form validates without error, set new secret and password. // Form validates without error, set new secret and password.
$Secret=make_secret();
$DB->query("UPDATE $DB->query("UPDATE
users_main AS m, users_main AS m,
users_info AS i users_info AS i
SET m.PassHash='".db_string(make_hash($_REQUEST['password'],$Secret))."', SET m.PassHash='".db_string(make_crypt_hash($_REQUEST['password']))."',
m.Secret='".db_string($Secret)."',
i.ResetKey='', i.ResetKey='',
i.ResetExpires='0000-00-00 00:00:00' i.ResetExpires='0000-00-00 00:00:00'
WHERE m.ID='".db_string($UserID)."' WHERE m.ID='".db_string($UserID)."'
@ -237,7 +235,11 @@ function log_attempt($UserID) {
AND Username<>''"); AND Username<>''");
list($UserID,$PermissionID,$CustomPermissions,$PassHash,$Secret,$Enabled)=$DB->next_record(MYSQLI_NUM, array(2)); list($UserID,$PermissionID,$CustomPermissions,$PassHash,$Secret,$Enabled)=$DB->next_record(MYSQLI_NUM, array(2));
if (strtotime($BannedUntil)<time()) { if (strtotime($BannedUntil)<time()) {
if ($UserID && $PassHash==make_hash($_POST['password'],$Secret)) { if ($UserID && check_password($_POST['password'], $PassHash, $Secret)) {
if (!is_crypt_hash($PassHash)) {
$CryptHash = make_crypt_hash($_POST['password']);
$DB->query("UPDATE users_main SET passhash = '".db_string($CryptHash)."' WHERE ID = $UserID");
}
if ($Enabled == 1) { if ($Enabled == 1) {
$SessionID = make_secret(); $SessionID = make_secret();
$Cookie = $Enc->encrypt($Enc->encrypt($SessionID.'|~|'.$UserID)); $Cookie = $Enc->encrypt($Enc->encrypt($SessionID.'|~|'.$UserID));

View File

@ -66,7 +66,6 @@
} }
if(!$Err) { if(!$Err) {
$Secret=make_secret();
$torrent_pass=make_secret(); $torrent_pass=make_secret();
//Previously SELECT COUNT(ID) FROM users_main, which is a lot slower. //Previously SELECT COUNT(ID) FROM users_main, which is a lot slower.
@ -86,8 +85,8 @@
$DB->query("INSERT INTO users_main $DB->query("INSERT INTO users_main
(Username,Email,PassHash,Secret,torrent_pass,IP,PermissionID,Enabled,Invites,Uploaded,ipcc) VALUES (Username,Email,PassHash,torrent_pass,IP,PermissionID,Enabled,Invites,Uploaded,ipcc) VALUES
('".db_string(trim($_POST['username']))."','".db_string($_POST['email'])."','".db_string(make_hash($_POST['password'],$Secret))."','".db_string($Secret)."','".db_string($torrent_pass)."','".db_string($_SERVER['REMOTE_ADDR'])."','".$Class."','".$Enabled."','".STARTING_INVITES."', '524288000', '$ipcc')"); ('".db_string(trim($_POST['username']))."','".db_string($_POST['email'])."','".db_string(make_crypt_hash($_POST['password']))."','".db_string($torrent_pass)."','".db_string($_SERVER['REMOTE_ADDR'])."','".$Class."','".$Enabled."','".STARTING_INVITES."', '524288000', '$ipcc')");
$UserID = $DB->inserted_id(); $UserID = $DB->inserted_id();

View File

@ -22,7 +22,7 @@
$torrent_pass=make_secret(); $torrent_pass=make_secret();
//Create the account //Create the account
$DB->query("INSERT INTO users_main (Username,Email,PassHash,Secret,torrent_pass,Enabled,PermissionID, Language) VALUES ('".db_string($Username)."','".db_string($Email)."','".db_string(make_hash($Password, $Secret))."','".db_string($Secret)."','".db_string($torrent_pass)."','1','".USER."', 'en')"); $DB->query("INSERT INTO users_main (Username,Email,PassHash,torrent_pass,Enabled,PermissionID, Language) VALUES ('".db_string($Username)."','".db_string($Email)."','".db_string(make_crypt_hash($Password))."','".db_string($torrent_pass)."','1','".USER."', 'en')");
//Increment site user count //Increment site user count
$Cache->increment('stats_user_count'); $Cache->increment('stats_user_count');
@ -102,4 +102,4 @@
<? <?
} }
show_footer(); ?> show_footer(); ?>

View File

@ -130,7 +130,7 @@
if(!check_perms('users_edit_profiles')) { // Non-admins have to authenticate to change email if(!check_perms('users_edit_profiles')) { // Non-admins have to authenticate to change email
$DB->query("SELECT PassHash,Secret FROM users_main WHERE ID='".db_string($UserID)."'"); $DB->query("SELECT PassHash,Secret FROM users_main WHERE ID='".db_string($UserID)."'");
list($PassHash,$Secret)=$DB->next_record(); list($PassHash,$Secret)=$DB->next_record();
if ($PassHash!=make_hash($_POST['cur_pass'],$Secret)) { if(!check_password($_POST['cur_pass'], $PassHash, $Secret)) {
$Err = "You did not enter the correct password."; $Err = "You did not enter the correct password.";
} }
} }
@ -159,7 +159,7 @@
$DB->query("SELECT PassHash,Secret FROM users_main WHERE ID='".db_string($UserID)."'"); $DB->query("SELECT PassHash,Secret FROM users_main WHERE ID='".db_string($UserID)."'");
list($PassHash,$Secret)=$DB->next_record(); list($PassHash,$Secret)=$DB->next_record();
if ($PassHash == make_hash($_POST['cur_pass'],$Secret)) { if (check_password($_POST['cur_pass'], $PassHash, $Secret)) {
if ($_POST['new_pass_1'] && $_POST['new_pass_2']) { if ($_POST['new_pass_1'] && $_POST['new_pass_2']) {
$ResetPassword = true; $ResetPassword = true;
} }
@ -258,9 +258,8 @@
if($ResetPassword) { if($ResetPassword) {
$ChangerIP = db_string($LoggedUser['IP']); $ChangerIP = db_string($LoggedUser['IP']);
$Secret=make_secret(); $PassHash=make_crypt_hash($_POST['new_pass_1']);
$PassHash=make_hash($_POST['new_pass_1'],$Secret); $SQL.=",m.PassHash='".db_string($PassHash)."'";
$SQL.=",m.Secret='".db_string($Secret)."',m.PassHash='".db_string($PassHash)."'";
$DB->query("INSERT INTO users_history_passwords $DB->query("INSERT INTO users_history_passwords
(UserID, ChangerIP, ChangeTime) VALUES (UserID, ChangerIP, ChangeTime) VALUES
('$UserID', '$ChangerIP', '".sqltime()."')"); ('$UserID', '$ChangerIP', '".sqltime()."')");

View File

@ -32,7 +32,7 @@
$Visible = (isset($_POST['Visible']))? 1 : 0; $Visible = (isset($_POST['Visible']))? 1 : 0;
$Invites = (int)$_POST['Invites']; $Invites = (int)$_POST['Invites'];
$SupportFor = db_string($_POST['SupportFor']); $SupportFor = db_string($_POST['SupportFor']);
$Pass = db_string($_POST['ChangePassword']); $Pass = $_POST['ChangePassword'];
$Warned = (isset($_POST['Warned']))? 1 : 0; $Warned = (isset($_POST['Warned']))? 1 : 0;
$Logs095 = (int)$_POST['095logs']; $Logs095 = (int)$_POST['095logs'];
if(isset($_POST['Uploaded']) && isset($_POST['Downloaded'])) { if(isset($_POST['Uploaded']) && isset($_POST['Downloaded'])) {
@ -624,9 +624,7 @@
} }
if ($Pass && check_perms('users_edit_password')) { if ($Pass && check_perms('users_edit_password')) {
$Secret=make_secret(); $UpdateSet[]="PassHash='".db_string(make_crypt_hash($Pass))."'";
$UpdateSet[]="Secret='$Secret'";
$UpdateSet[]="PassHash='".db_string(make_hash($Pass,$Secret))."'";
$EditSummary[]='password reset'; $EditSummary[]='password reset';
$Cache->delete_value('user_info_'.$UserID); $Cache->delete_value('user_info_'.$UserID);