From 13590a876b3d9b117ae47f91b1048be103b544f1 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 18 Oct 2014 16:08:15 +0200 Subject: [PATCH] Fix: A little clean of dol_hash usage. --- htdocs/core/class/CMailFile.class.php | 6 +++--- htdocs/core/class/html.form.class.php | 2 +- htdocs/core/class/rssparser.class.php | 2 +- htdocs/core/class/smtps.class.php | 10 +++++----- htdocs/core/lib/security.lib.php | 11 +++++++---- htdocs/core/lib/security2.lib.php | 2 +- htdocs/user/class/user.class.php | 4 ++-- htdocs/user/passwordforgotten.php | 6 +++--- test/phpunit/SecurityTest.php | 2 +- 9 files changed, 24 insertions(+), 21 deletions(-) diff --git a/htdocs/core/class/CMailFile.class.php b/htdocs/core/class/CMailFile.class.php index a289b43c4a9..5288dc635cb 100644 --- a/htdocs/core/class/CMailFile.class.php +++ b/htdocs/core/class/CMailFile.class.php @@ -118,10 +118,10 @@ class CMailFile $this->mixed_boundary = "multipart_x." . time() . ".x_boundary"; // On defini related_boundary - $this->related_boundary = 'mul_'.dol_hash(uniqid("dolibarr2")); + $this->related_boundary = 'mul_'.dol_hash(uniqid("dolibarr2"), 3); // Force md5 hash (does not contains special chars) // On defini alternative_boundary - $this->alternative_boundary = 'mul_'.dol_hash(uniqid("dolibarr3")); + $this->alternative_boundary = 'mul_'.dol_hash(uniqid("dolibarr3"), 3); // Force md5 hash (does not contains special chars) // If ending method not defined if (empty($conf->global->MAIN_MAIL_SENDMODE)) $conf->global->MAIN_MAIL_SENDMODE='mail'; @@ -971,7 +971,7 @@ class CMailFile } // cid - $this->html_images[$i]["cid"] = dol_hash(uniqid(time())); + $this->html_images[$i]["cid"] = dol_hash(uniqid(time()), 3); // Force md5 hash (does not contains special chars) $this->html = preg_replace("/src=\"$src\"|src='$src'/i", "src=\"cid:".$this->html_images[$i]["cid"]."\"", $this->html); } $i++; diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php index 9985bcc0e81..f41aaa5d19e 100644 --- a/htdocs/core/class/html.form.class.php +++ b/htdocs/core/class/html.form.class.php @@ -4401,7 +4401,7 @@ class Form { global $dolibarr_main_url_root; $ret.=''; - $ret.='Photo found on Gravatar'; + $ret.='Photo found on Gravatar'; // gravatar need md5 hash } else { diff --git a/htdocs/core/class/rssparser.class.php b/htdocs/core/class/rssparser.class.php index d9a7d8348d6..5a156b1eda7 100644 --- a/htdocs/core/class/rssparser.class.php +++ b/htdocs/core/class/rssparser.class.php @@ -194,7 +194,7 @@ class RssParser } $this->_urlRSS = $urlRSS; - $newpathofdestfile=$cachedir.'/'.dol_hash($this->_urlRSS); + $newpathofdestfile=$cachedir.'/'.dol_hash($this->_urlRSS,3); // Force md5 hash (does not contains special chars) $newmask='0644'; //dol_syslog("RssPArser::parser parse url=".$urlRSS." => cache file=".$newpathofdestfile); diff --git a/htdocs/core/class/smtps.class.php b/htdocs/core/class/smtps.class.php index 61a098330c2..5c7d73eb136 100644 --- a/htdocs/core/class/smtps.class.php +++ b/htdocs/core/class/smtps.class.php @@ -1159,7 +1159,7 @@ class SMTPs $this->_msgContent[$strType]['data'] = $strContent; if ( $this->getMD5flag() ) - $this->_msgContent[$strType]['md5'] = dol_hash($strContent); + $this->_msgContent[$strType]['md5'] = dol_hash($strContent, 3); //} } @@ -1329,7 +1329,7 @@ class SMTPs $this->_msgContent['attachment'][$strFileName]['data'] = $strContent; if ( $this->getMD5flag() ) - $this->_msgContent['attachment'][$strFileName]['md5'] = dol_hash($strContent); + $this->_msgContent['attachment'][$strFileName]['md5'] = dol_hash($strContent, 3); } } @@ -1356,7 +1356,7 @@ class SMTPs $this->_msgContent['image'][$strImageName]['data'] = $strContent; if ( $this->getMD5flag() ) - $this->_msgContent['image'][$strImageName]['md5'] = dol_hash($strContent); + $this->_msgContent['image'][$strImageName]['md5'] = dol_hash($strContent, 3); } } // END DOL_CHANGE LDR @@ -1487,8 +1487,8 @@ class SMTPs function _setBoundary() { $this->_smtpsBoundary = "multipart_x." . time() . ".x_boundary"; - $this->_smtpsRelatedBoundary = 'mul_'.dol_hash(uniqid("dolibarr2")); - $this->_smtpsAlternativeBoundary = 'mul_'.dol_hash(uniqid("dolibarr3")); + $this->_smtpsRelatedBoundary = 'mul_'.dol_hash(uniqid("dolibarr2"), 3); + $this->_smtpsAlternativeBoundary = 'mul_'.dol_hash(uniqid("dolibarr3"), 3); } /** diff --git a/htdocs/core/lib/security.lib.php b/htdocs/core/lib/security.lib.php index 87dfcf1367b..f00abaa339f 100644 --- a/htdocs/core/lib/security.lib.php +++ b/htdocs/core/lib/security.lib.php @@ -70,11 +70,11 @@ function dol_decode($chain) /** * Returns a hash of a string. - * If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function (md5 by default) - * If constant MAIN_SECURITY_SALT is defined, we use it as a salt + * If constant MAIN_SECURITY_HASH_ALGO is defined, we use this function as hashing function. + * If constant MAIN_SECURITY_SALT is defined, we use it as a salt. * * @param string $chain String to hash - * @param int $type Type of hash (0:auto, 1:sha1, 2:sha1+md5) + * @param int $type Type of hash (0:auto, 1:sha1, 2:sha1+md5, 3:md5) * @return string Hash of string */ function dol_hash($chain,$type=0) @@ -86,9 +86,12 @@ function dol_hash($chain,$type=0) if ($type == 1) return sha1($chain); else if ($type == 2) return sha1(md5($chain)); + else if ($type == 3) return md5($chain); else if (! empty($conf->global->MAIN_SECURITY_HASH_ALGO) && $conf->global->MAIN_SECURITY_HASH_ALGO == 'sha1') return sha1($chain); else if (! empty($conf->global->MAIN_SECURITY_HASH_ALGO) && $conf->global->MAIN_SECURITY_HASH_ALGO == 'sha1md5') return sha1(md5($chain)); - else return md5($chain); + + // No enconding defined + return md5($chain); } diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index 40dd2c03ac3..fe0c9809296 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -440,7 +440,7 @@ function encodedecode_dbpassconf($level=0) /** * Return a generated password using default module * - * @param boolean $generic true=Create generic password (a MD5 string), false=Use the configured password generation module + * @param boolean $generic true=Create generic password (use default crypt function), false=Use the configured password generation module * @return string New value for password */ function getRandomPassword($generic=false) diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 91f85d4cb0b..ffde48c2ada 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -1154,7 +1154,7 @@ class User extends CommonObject $this->error = $langs->trans("ErrorBadEMail",$this->email); return -1; } - + $this->db->begin(); // Mise a jour autres infos @@ -1539,7 +1539,7 @@ class User extends CommonObject $mesg.= $outputlangs->transnoentitiesnoconv("Password")." = ".$password."\n\n"; $mesg.= "\n"; $mesg.= $outputlangs->transnoentitiesnoconv("YouMustClickToChange")." :\n"; - $url = $urlwithroot.'/user/passwordforgotten.php?action=validatenewpassword&username='.$this->login."&passwordmd5=".dol_hash($password); + $url = $urlwithroot.'/user/passwordforgotten.php?action=validatenewpassword&username='.$this->login."&passwordhash=".dol_hash($password); $mesg.= $url."\n\n"; $mesg.= $outputlangs->transnoentitiesnoconv("ForgetIfNothing")."\n\n"; dol_syslog(get_class($this)."::send_password url=".$url); diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php index 4d7422109bf..44377f6168c 100644 --- a/htdocs/user/passwordforgotten.php +++ b/htdocs/user/passwordforgotten.php @@ -49,7 +49,7 @@ $mode=$dolibarr_main_authentication; if (! $mode) $mode='http'; $username = GETPOST('username'); -$passwordmd5 = GETPOST('passwordmd5'); +$passwordhash = GETPOST('passwordhash'); $conf->entity = (GETPOST('entity') ? GETPOST('entity') : 1); // Instantiate hooks of thirdparty module only if not already define @@ -68,7 +68,7 @@ if (GETPOST('dol_use_jmobile') || ! empty($_SESSION['dol_use_jmobile'])) */ // Validate new password -if ($action == 'validatenewpassword' && $username && $passwordmd5) +if ($action == 'validatenewpassword' && $username && $passwordhash) { $edituser = new User($db); $result=$edituser->fetch('',$_GET["username"]); @@ -78,7 +78,7 @@ if ($action == 'validatenewpassword' && $username && $passwordmd5) } else { - if (dol_hash($edituser->pass_temp) == $passwordmd5) + if (dol_hash($edituser->pass_temp) == $passwordhash) { $newpassword=$edituser->setPassword($user,$edituser->pass_temp,0); dol_syslog("passwordforgotten.php new password for user->id=".$edituser->id." validated in database"); diff --git a/test/phpunit/SecurityTest.php b/test/phpunit/SecurityTest.php index 0d92aee8b76..e7160939532 100755 --- a/test/phpunit/SecurityTest.php +++ b/test/phpunit/SecurityTest.php @@ -227,7 +227,7 @@ class SecurityTest extends PHPUnit_Framework_TestCase { global $conf; - $genpass1=getRandomPassword(true); // Should be a MD5 string return by dol_hash + $genpass1=getRandomPassword(true); // Should be a string return by dol_hash (if no option set, will be md5) print __METHOD__." genpass1=".$genpass1."\n"; $this->assertEquals(strlen($genpass1),32);