Move to stronger password hash #2401
Conversation
change password, login)
TheAspens
changed the title
TheAspens
changed the title
|
@drshawnkwang and @tristanolive - can the two of you please review this pull request and see if anything needs to be changed in the Drupal code? |
TheAspens
changed the title
|
@davidpanderson - can you please review this as well but if you are ok with it, please don't merge until either @drshawnkwang and @tristanolive have chimed in. |
|
Also @brevilo and @nicolas17 - since you guys reveiwed the original design - do you guys want to review the implementation real quick? |
|
FYI, as I added myself as a reviewer David got dropped for an unknown reason, hence I added him back. |
There was a problem hiding this comment.
A general note: please try to stick to one format/style for arguments lists. That is, where you use spaces around arguments, operators and commas. Ideally use a formatter with your preferred style rules, preferably matching (or closely following) BOINC's. Thanks.
html/ops/login_action.php
Outdated
| function do_passwd_rehash($user,$passwd_hash) { | ||
| $database_passwd_hash = password_hash($passwd_hash , PASSWORD_DEFAULT); | ||
| $result = $user->update( | ||
| "passwd_hash='$database_passwd_hash'" |
There was a problem hiding this comment.
Here you escape the password hash before its use as part of an SQL clause. If you think it's required, it should be done here as well.
There was a problem hiding this comment.
After reviewing, the hash does not need to be escaped so I have removed it from the referenced line.
html/user/am_set_info.php
Outdated
| @@ -176,7 +177,8 @@ function success($x) { | |||
| $query .= " email_addr='$email_addr', "; | |||
| } | |||
| if ($password_hash) { | |||
| $query .= " passwd_hash='$password_hash', "; | |||
| $database_passwd_hash = password_hash($password_hash , PASSWORD_DEFAULT); | |||
| $query .= " passwd_hash='$database_passwd_hash', "; | |||
| } | |||
There was a problem hiding this comment.
Here you escape the password hash before its use as part of an SQL clause. If you think it's required, it should be done here as well.
There was a problem hiding this comment.
After reviewing, the hash does not need to be escaped so I have removed it from the referenced line.
html/user/edit_email_action.php
Outdated
| $email_addr = BoincDb::escape_string($email_addr); | ||
| $result = $user->update( | ||
| "email_addr='$email_addr', passwd_hash='$passwd_hash', email_validated=0" | ||
| "email_addr='$email_addr', passwd_hash='$database_passwd_hash', email_validated=0" |
There was a problem hiding this comment.
Here you escape the password hash before its use as part of an SQL clause. If you think it's required, it should be done here as well.
There was a problem hiding this comment.
After reviewing, the hash does not need to be escaped so I have removed it from the referenced line.
html/user/edit_passwd_action.php
Outdated
| @@ -45,7 +46,8 @@ | |||
| } | |||
|
|
|||
| $passwd_hash = md5($passwd.$user->email_addr); | |||
| $result = $user->update("passwd_hash='$passwd_hash'"); | |||
| $database_passwd_hash = password_hash( $passwd_hash, PASSWORD_DEFAULT); | |||
| $result = $user->update("passwd_hash='$database_passwd_hash'"); | |||
There was a problem hiding this comment.
Here you escape the password hash before its use as part of an SQL clause. If you think it's required, it should be done here as well.
There was a problem hiding this comment.
After reviewing, the hash does not need to be escaped so I have removed it from the referenced line.
html/user/login_action.php
Outdated
| function do_passwd_rehash($user,$passwd_hash) { | ||
| $database_passwd_hash = password_hash($passwd_hash , PASSWORD_DEFAULT); | ||
| $result = $user->update( | ||
| "passwd_hash='$database_passwd_hash'" |
There was a problem hiding this comment.
Here you escape the password hash before its use as part of an SQL clause. If you think it's required, it should be done here as well.
There was a problem hiding this comment.
After reviewing, the hash does not need to be escaped so I have removed it from the referenced line.
html/user/login_action.php
Outdated
| @@ -49,9 +57,19 @@ function login_with_email($email_addr, $passwd, $next_url, $perm) { | |||
| error_page("This account has been administratively disabled."); | |||
| } | |||
| // allow authenticator as password | |||
| if ($passwd != $user->authenticator) { | |||
| if ($passwd != $user->authenticator ) { | |||
There was a problem hiding this comment.
Why the added space? It's inconsistent.
html/user/lookup_account.php
Outdated
| function do_passwd_rehash($user,$passwd_hash) { | ||
| $database_passwd_hash = password_hash($passwd_hash , PASSWORD_DEFAULT); | ||
| $result = $user->update( | ||
| "passwd_hash='$database_passwd_hash'" |
There was a problem hiding this comment.
Here you escape the password hash before its use as part of an SQL clause. If you think it's required, it should be done here as well.
There was a problem hiding this comment.
After reviewing, the hash does not need to be escaped so I have removed it from the referenced line.
html/user/lookup_account.php
Outdated
| @@ -72,16 +80,28 @@ | |||
| // if no password set, set password to account key | |||
| // | |||
| if (!strlen($user->passwd_hash)) { | |||
| $user->passwd_hash = $auth_hash; | |||
| $user->passwd_hash = password_hash($auth_hash , PASSWORD_DEFAULT); | |||
| $user->update("passwd_hash='$user->passwd_hash'"); | |||
There was a problem hiding this comment.
Here you escape the password hash before its use as part of an SQL clause. If you think it's required, it should be done here as well.
There was a problem hiding this comment.
After reviewing, the hash does not need to be escaped so I have removed it from the referenced line.
|
I fixed the style issues. Please let me know if you have any other feedback on the change. Thanks! |
|
I looked at the code and checked-out your branch to test it on my Drupal devel. system. My testing shows that there shouldn't be any serious inconsistency with your PR and the drupal codebase. But we should also see if Tristan has any comments. Additionally, we'll work independently to put similar code into the drupal codebase. |
|
I'd expect some problems to arise with RPCs on the Drupal side, as some were implemented as simple wrappers around BOINC RPCs and others were a bit more involved. In particular, the create_account implementation in Drupal will likely need your changes integrated into it. As Shawn's tests show, though, there doesn't look to be anything major. |
|
Update for clarity: This PR can go ahead without waiting for corresponding Drupal updates (which should follow before too long). |
|
@tristanolive - thanks for the clarification. Since I added you as a reviewer can you either approve or remove yourself as a reviewer? Thanks! @davidpanderson - this touches enough stuff that I would appreciate your review on this - and if you are ok with it, please go ahead and merge it. Thanks! |
|
I know this PR has 'pass review', but would it be possible to make two minor late changes:
Maybe |
|
@drshawnkwang - yes - I can make those. I'm updating this to WIP while I make those changes. |
TheAspens
changed the title
…as a .inc file and to move common functions into user_util.inc
TheAspens
changed the title
|
@drshawnkwang - please review again and let me know if this matches what you suggested and work for you. Thanks for the feedback. |
|
@TheAspens , thanks for the changes. I checked out this branch and was able to load the password_compat.inc and user_util.inc libraries in order to use the functions you wrote. Thanks again for making these changes. |
|
I just found this #1644. Which will also be closed by this change. |
|
@drshawnkwang @brevilo @tristanolive @davidpanderson - This has been open long enough for any objections to be raised and so it should be good to merge. Can someone go ahead and merge this? Thanks! |
|
@davidpanderson hasn't signed-off yet so he should do the merge as soon as he's ok with it. |
|
This looks fine, but it conflicts with the token PR. Kevin, feel free to merge after resolving that. |
Conflicts: py/Boinc/setup_project.py
|
Ok - I've fixed the merge conflict. Everyone has approved this pull request so if someone can merge it I would appreciate it! (by the rules, I cannot merge my own). |
These changes will close issue #2353 and close issue #1644.