Author: Nikita Popov (nikic)
Date: 2021-04-11T21:44:40+02:00
Commit:
https://github.com/php/web-master/commit/90515b33df33295d02726d92144e52b8c0f91aa9
Raw diff:
https://github.com/php/web-master/commit/90515b33df33295d02726d92144e52b8c0f91aa9.diff
Switch authentication to use PDO
Changed paths:
M include/cvs-auth.inc
M include/login.inc
M public/fetch/cvsauth.php
Diff:
diff --git a/include/cvs-auth.inc b/include/cvs-auth.inc
index 356f20b..ec18876 100644
--- a/include/cvs-auth.inc
+++ b/include/cvs-auth.inc
@@ -1,25 +1,22 @@
-<?php // vim: et ts=4 sw=4
+<?php
+
+use App\DB;
function gen_pass($password) {
return password_hash($password, PASSWORD_BCRYPT);
}
-function verify_password($user, $pass)
-{
- db_connect();
-
- $res = db_query_safe("SELECT svnpasswd FROM users WHERE cvsaccess AND
username = ?", [$user]);
-
- if ($res && mysql_num_rows($res) == 1) {
- $row = mysql_fetch_array($res);
- return password_verify($pass, $row['svnpasswd']);
+function verify_password(DB $db, $user, $pass) {
+ $stmt = $db->prepare("SELECT svnpasswd FROM users WHERE cvsaccess AND
username = ?");
+ $stmt->execute([$user]);
+ if (false === $row = $stmt->fetch()) {
+ return false;
}
-
- return false;
+ return password_verify($pass, $row['svnpasswd']);
}
-function verify_username($user) {
- db_connect();
- $res = db_query_safe("SELECT 1 FROM users WHERE cvsaccess AND username =
?", [$user]);
- return $res && mysql_num_rows($res) == 1;
+function verify_username(DB $db, $user) {
+ $stmt = $db->prepare("SELECT 1 FROM users WHERE cvsaccess AND username =
?");
+ $stmt->execute([$user]);
+ return $stmt->fetch() !== false;
}
diff --git a/include/login.inc b/include/login.inc
index 30e9d7a..22d3e51 100644
--- a/include/login.inc
+++ b/include/login.inc
@@ -12,8 +12,9 @@ if (!isset($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != "on") {
}
*/
+use App\DB;
+
session_start();
-/* $Id$ */
require 'cvs-auth.inc';
require 'functions.inc';
@@ -28,7 +29,7 @@ if (isset($_POST["user"], $_POST["pw"])) {
}
// Login form, if the user is not yet logged in
-if (!$cuser || !$cpw || !verify_password($cuser,$cpw)) {
+if (!$cuser || !$cpw || !verify_password(DB::connect(), $cuser,$cpw)) {
$_SESSION = [];
session_destroy();
diff --git a/public/fetch/cvsauth.php b/public/fetch/cvsauth.php
index 5946d4d..123366e 100644
--- a/public/fetch/cvsauth.php
+++ b/public/fetch/cvsauth.php
@@ -33,6 +33,8 @@
echo $a["SUCCESS"], "\n";
*/
+use App\DB;
+
require 'functions.inc';
require 'cvs-auth.inc';
@@ -84,11 +86,12 @@ function is_valid_cvsauth_token($token) {
exit_forbidden(E_UNKNOWN);
}
-if (!verify_username($username)) {
+$db = DB::connect();
+if (!verify_username($db, $username)) {
exit_forbidden(E_USERNAME);
}
-if (!verify_password($username, $password)) {
+if (!verify_password($db, $username, $password)) {
exit_forbidden(E_PASSWORD);
}
--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
