From a43812ea14c4f6fa72393b650b14e8d4d493afa2 Mon Sep 17 00:00:00 2001 From: robocoder Date: Sun, 3 Jul 2011 18:10:30 +0000 Subject: refs #308 - some cleanup; I'll fix the webtest later tonight git-svn-id: http://dev.piwik.org/svn/trunk@4992 59fd770c-687e-43c8-a1e3-f5a4ff64c105 --- plugins/Login/Controller.php | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) (limited to 'plugins/Login') diff --git a/plugins/Login/Controller.php b/plugins/Login/Controller.php index 5faff40844..7e4d31b188 100644 --- a/plugins/Login/Controller.php +++ b/plugins/Login/Controller.php @@ -17,6 +17,24 @@ */ class Piwik_Login_Controller extends Piwik_Controller { + /** + * Generate hash on user info and password + * + * @param string $userinfo User name, email, etc + * @param string $password + * @return string + */ + private function generateHash($userInfo, $password) + { + // mitigate rainbow table attack + $password = str_split($password, (strlen($password)/2)+1); + $hash = Piwik_Common::hash( + $userInfo . $password[0] + . Piwik_Common::getSalt() . $password[1] + ); + return $hash; + } + /** * Default action * @@ -193,7 +211,7 @@ class Piwik_Login_Controller extends Piwik_Controller */ protected function lostPasswordFormValidated($loginMail) { - if( $user === 'anonymous' ) + if( $loginMail === 'anonymous' ) { return Piwik_Translate('Login_InvalidUsernameEmail'); } @@ -379,7 +397,10 @@ class Piwik_Login_Controller extends Piwik_Controller } $expiry = strftime('%Y%m%d%H', $timestamp); - $token = md5(Piwik_Common::getSalt() . md5($expiry . $user['login'] . $user['email'] . $user['password'])); + $token = $this->generateHash( + $expiry . $user['login'] . $user['email'], + $user['password'] + ); return $token; } -- cgit v1.2.3