refs #308 - some cleanup; I'll fix the webtest later tonight

git-svn-id: http://dev.piwik.org/svn/trunk@4992 59fd770c-687e-43c8-a1e3-f5a4ff64c105

1 files changed, 23 insertions, 2 deletions

diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php
index 5faff40844..7e4d31b188 100644
--- a/plugins/Login/Controller.php
+++ b/plugins/Login/Controller.php
@@ -18,6 +18,24 @@
 class Piwik_Login_Controller extends Piwik_Controller
 {
 	/**
+	 * Generate hash on user info and password
+	 *
+	 * @param string $userinfo User name, email, etc
+	 * @param string $password
+	 * @return string
+	 */
+	private function generateHash($userInfo, $password)
+	{
+		// mitigate rainbow table attack
+		$password = str_split($password, (strlen($password)/2)+1);
+		$hash = Piwik_Common::hash(
+			$userInfo . $password[0]
+			. Piwik_Common::getSalt() . $password[1]
+		);
+		return $hash;
+	}
+
+	/**
 	 * Default action
 	 *
 	 * @param none
@@ -193,7 +211,7 @@ class Piwik_Login_Controller extends Piwik_Controller
 	 */
 	protected function lostPasswordFormValidated($loginMail)
 	{
-		if( $user === 'anonymous' )
+		if( $loginMail === 'anonymous' )
 		{
 			return Piwik_Translate('Login_InvalidUsernameEmail');
 		}
@@ -379,7 +397,10 @@ class Piwik_Login_Controller extends Piwik_Controller
 		}
 
 		$expiry = strftime('%Y%m%d%H', $timestamp); 
-		$token = md5(Piwik_Common::getSalt() . md5($expiry . $user['login'] . $user['email'] . $user['password']));
+		$token = $this->generateHash(
+			$expiry . $user['login'] . $user['email'],
+			$user['password']
+		);
 		return $token;
 	}