Merge pull request #754 from bertptrs/master

SSilence · SSilence · commit 2d41e7cd1c2f · 2016-04-15T20:01:01.000+02:00
Use a more secure password hash
diff --git a/controllers/Index.php b/controllers/Index.php
@@ -101,7 +101,7 @@ public function password() {
         $this->view = new \helpers\View();
         $this->view->password = true;
         if(isset($_POST['password']))
-            $this->view->hash = hash("sha512", \F3::get('salt') . $_POST['password']);
+            $this->view->hash = password_hash($_POST['password'], PASSWORD_DEFAULT);
         echo $this->view->render('templates/login.phtml');
     }
     
diff --git a/defaults.ini b/defaults.ini
@@ -15,7 +15,6 @@ items_lifetime=30
 base_url=
 username=
 password=
-salt=lkjl1289
 public=
 html_title=selfoss
 rss_title=selfoss feed
diff --git a/helpers/Authentication.php b/helpers/Authentication.php
@@ -98,7 +98,7 @@ public function loginWithoutUser() {
     public function login($username, $password) {
         if($this->enabled()) {
             if(
-                $username == \F3::get('username') &&  hash("sha512", \F3::get('salt') . $password) == \F3::get('password')
+                $username == \F3::get('username') && password_verify($password, \F3::get('password'))
             ) {
                 $this->loggedin = true;
                 $_SESSION['loggedin'] = true;

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ public function password() {`
`101`	`101`	`$this->view = new \helpers\View();`
`102`	`102`	`$this->view->password = true;`
`103`	`103`	`if(isset($_POST['password']))`
`104`		`- $this->view->hash = hash("sha512", \F3::get('salt') . $_POST['password']);`
	`104`	`+ $this->view->hash = password_hash($_POST['password'], PASSWORD_DEFAULT);`
`105`	`105`	`echo $this->view->render('templates/login.phtml');`
`106`	`106`	`}`
`107`	`107`