On Fri, 24 Feb 2017 at 22:02:04, Lukas Fleischer wrote: > Replace the default hash function used for storing passwords by > password_hash() which internally uses bcrypt. Legacy MD5 hashes are > still supported and are immediately converted to the new format when a > user logs in. > > Since big parts of the authentication system needed to be rewritten in > this context, this patch also includes some simplification and > refactoring of all code related to password checking and resetting. > > Fixes FS#52297. > > Signed-off-by: Lukas Fleischer <[email protected]> > --- > This replaces the SHA-512 patch sent earlier. Thanks to Johannes for > suggesting to use bcrypt instead! > > Again, it would be great if somebody could review the new patch! > > schema/aur-schema.sql | 2 +- > upgrading/4.5.0.txt | 6 ++ > web/html/passreset.php | 5 +- > web/lib/acctfuncs.inc.php | 144 > +++++++++++++++++++--------------------------- > web/lib/aur.inc.php | 57 ------------------ > 5 files changed, 67 insertions(+), 147 deletions(-) > [...] > + /* Get password version, hash, as well as salt and authenticate. */ > + $q = "SELECT Passwd, Salt FROM Users WHERE ID = " . intval($user_id); > [...]
I forgot to update this comment. Fixed on pu.
