diff options
author | robocoder <anthon.pang@gmail.com> | 2011-07-03 22:10:30 +0400 |
---|---|---|
committer | robocoder <anthon.pang@gmail.com> | 2011-07-03 22:10:30 +0400 |
commit | a43812ea14c4f6fa72393b650b14e8d4d493afa2 (patch) | |
tree | 03b15d7bc415ac78a298315332f55918e5b4b345 /plugins/Login | |
parent | 1f22d78bf1b217ab28c51d6c61a99686d72f1669 (diff) |
refs #308 - some cleanup; I'll fix the webtest later tonight
git-svn-id: http://dev.piwik.org/svn/trunk@4992 59fd770c-687e-43c8-a1e3-f5a4ff64c105
Diffstat (limited to 'plugins/Login')
-rw-r--r-- | plugins/Login/Controller.php | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php index 5faff40844..7e4d31b188 100644 --- a/plugins/Login/Controller.php +++ b/plugins/Login/Controller.php @@ -18,6 +18,24 @@ class Piwik_Login_Controller extends Piwik_Controller { /** + * Generate hash on user info and password + * + * @param string $userinfo User name, email, etc + * @param string $password + * @return string + */ + private function generateHash($userInfo, $password) + { + // mitigate rainbow table attack + $password = str_split($password, (strlen($password)/2)+1); + $hash = Piwik_Common::hash( + $userInfo . $password[0] + . Piwik_Common::getSalt() . $password[1] + ); + return $hash; + } + + /** * Default action * * @param none @@ -193,7 +211,7 @@ class Piwik_Login_Controller extends Piwik_Controller */ protected function lostPasswordFormValidated($loginMail) { - if( $user === 'anonymous' ) + if( $loginMail === 'anonymous' ) { return Piwik_Translate('Login_InvalidUsernameEmail'); } @@ -379,7 +397,10 @@ class Piwik_Login_Controller extends Piwik_Controller } $expiry = strftime('%Y%m%d%H', $timestamp); - $token = md5(Piwik_Common::getSalt() . md5($expiry . $user['login'] . $user['email'] . $user['password'])); + $token = $this->generateHash( + $expiry . $user['login'] . $user['email'], + $user['password'] + ); return $token; } |