diff --git a/src/messenger/webim/libs/operator.php b/src/messenger/webim/libs/operator.php index c685f7f5..d3f8d6ca 100644 --- a/src/messenger/webim/libs/operator.php +++ b/src/messenger/webim/libs/operator.php @@ -15,6 +15,8 @@ * limitations under the License. */ +$remember_cookie_name = 'mibew_operator'; + $can_administrate = 0; $can_takeover = 1; $can_viewthreads = 2; @@ -34,7 +36,7 @@ function operator_by_login($login) global $mysqlprefix; $link = connect(); $operator = select_one_row( - "select * from ${mysqlprefix}chatoperator where vclogin = '" . mysql_real_escape_string($login) . "'", $link); + "select * from ${mysqlprefix}chatoperator where vclogin = '" . mysql_real_escape_string($login, $link) . "'", $link); mysql_close($link); return $operator; } @@ -103,7 +105,7 @@ function update_operator($operatorid, $login, $email, $jabber, $password, $local ", vcemail = '%s', vcjabbername= '%s', inotify = %s" . " where operatorid = %s", mysql_real_escape_string($login, $link), - ($password ? " vcpassword='" . md5($password) . "'," : ""), + ($password ? " vcpassword='" . mysql_real_escape_string(calculate_password_hash($login, $password), $link) . "'," : ""), mysql_real_escape_string($localename, $link), mysql_real_escape_string($commonname, $link), mysql_real_escape_string($email, $link), @@ -133,7 +135,7 @@ function create_operator_($login, $email, $jabber, $password, $localename, $comm $query = sprintf( "insert into ${mysqlprefix}chatoperator (vclogin,vcpassword,vclocalename,vccommonname,vcavatar,vcemail,vcjabbername,inotify) values ('%s','%s','%s','%s','%s','%s','%s',%s)", mysql_real_escape_string($login, $link), - md5($password), + mysql_real_escape_string(calculate_password_hash($login, $password), $link), mysql_real_escape_string($localename, $link), mysql_real_escape_string($commonname, $link), mysql_real_escape_string($avatar, $link), @@ -209,12 +211,12 @@ function append_query($link, $pv) function check_login($redirect = true) { - global $webimroot, $mysqlprefix; + global $webimroot, $mysqlprefix, $remember_cookie_name; if (!isset($_SESSION["${mysqlprefix}operator"])) { - if (isset($_COOKIE['webim_lite'])) { - list($login, $pwd) = preg_split("/,/", $_COOKIE['webim_lite'], 2); + if (isset($_COOKIE[$remember_cookie_name])) { + list($login, $pwd) = preg_split('/\x0/', base64_decode($_COOKIE[$remember_cookie_name]), 2); $op = operator_by_login($login); - if ($op && isset($pwd) && isset($op['vcpassword']) && md5($op['vcpassword']) == $pwd) { + if ($op && isset($pwd) && isset($op['vcpassword']) && calculate_password_hash($op['vclogin'], $op['vcpassword']) == $pwd) { $_SESSION["${mysqlprefix}operator"] = $op; return $op; } @@ -240,26 +242,26 @@ function get_logged_in() return isset($_SESSION["${mysqlprefix}operator"]) ? $_SESSION["${mysqlprefix}operator"] : FALSE; } -function login_operator($operator, $remember) +function login_operator($operator, $remember, $https = FALSE) { - global $webimroot, $mysqlprefix; + global $webimroot, $mysqlprefix, $remember_cookie_name; $_SESSION["${mysqlprefix}operator"] = $operator; if ($remember) { - $value = $operator['vclogin'] . "," . md5($operator['vcpassword']); - setcookie('webim_lite', $value, time() + 60 * 60 * 24 * 1000, "$webimroot/"); + $value = base64_encode($operator['vclogin'] . "\x0" . calculate_password_hash($operator['vclogin'], $operator['vcpassword'])); + setcookie($remember_cookie_name, $value, time() + 60 * 60 * 24 * 1000, "$webimroot/", NULL, $https, TRUE); - } else if (isset($_COOKIE['webim_lite'])) { - setcookie('webim_lite', '', time() - 3600, "$webimroot/"); + } else if (isset($_COOKIE[$remember_cookie_name])) { + setcookie($remember_cookie_name, '', time() - 3600, "$webimroot/"); } } function logout_operator() { - global $webimroot, $mysqlprefix; + global $webimroot, $mysqlprefix, $remember_cookie_name; unset($_SESSION["${mysqlprefix}operator"]); unset($_SESSION['backpath']); - if (isset($_COOKIE['webim_lite'])) { - setcookie('webim_lite', '', time() - 3600, "$webimroot/"); + if (isset($_COOKIE[$remember_cookie_name])) { + setcookie($remember_cookie_name, '', time() - 3600, "$webimroot/"); } } @@ -404,4 +406,33 @@ function get_operator_groupids($operatorid) return $result; } +function calculate_password_hash($login, $password) +{ + + if (CRYPT_BLOWFISH == 1) { + if (defined('PHP_VERSION_ID') && (PHP_VERSION_ID > 50306)) { + return crypt($password, '$2y$08$' . $login); + } + else { + return crypt($password, '$2a$08$' . $login); + } + } + else if (CRYPT_MD5 == 1) { + return crypt($password, '$1$' . $login); + } + + return md5($password); +} + +function check_password_hash($login, $password, $hash) +{ + if (preg_match('/^\$/', $hash)) { + return (calculate_password_hash($login, $password) == $hash); + } + else { + return (md5($password) == $hash); + } + +} + ?> diff --git a/src/messenger/webim/operator/index.php b/src/messenger/webim/operator/index.php index 439fd97c..dd04117d 100644 --- a/src/messenger/webim/operator/index.php +++ b/src/messenger/webim/operator/index.php @@ -29,7 +29,7 @@ $page = array( 'version' => $version, 'localeLinks' => get_locale_links("$webimroot/operator/index.php"), 'needUpdate' => $settings['dbversion'] != $dbversion, - 'needChangePassword' => $operator['vcpassword'] == md5(''), + 'needChangePassword' => check_password_hash($operator['vclogin'], '', $operator['vcpassword']), 'profilePage' => "$webimroot/operator/operator.php?op=".safe_htmlspecialchars($operator['operatorid']), 'updateWizard' => "$webimroot/install/", 'newFeatures' => $settings['featuresversion'] != $featuresversion, diff --git a/src/messenger/webim/operator/login.php b/src/messenger/webim/operator/login.php index 286e0c45..9b88c694 100644 --- a/src/messenger/webim/operator/login.php +++ b/src/messenger/webim/operator/login.php @@ -27,7 +27,7 @@ if (isset($_POST['login']) && isset($_POST['password'])) { $remember = isset($_POST['isRemember']) && $_POST['isRemember'] == "on"; $operator = operator_by_login($login); - if ($operator && isset($operator['vcpassword']) && $operator['vcpassword'] == md5($password)) { + if ($operator && isset($operator['vcpassword']) && check_password_hash($login, $password, $operator['vcpassword'])) { $target = $password == '' ? "$webimroot/operator/operator.php?op=" . intval($operator['operatorid']) @@ -35,7 +35,7 @@ if (isset($_POST['login']) && isset($_POST['password'])) { ? $_SESSION['backpath'] : "$webimroot/operator/index.php"); - login_operator($operator, $remember); + login_operator($operator, $remember, is_secure_request()); header("Location: $target"); exit; } else { diff --git a/src/messenger/webim/operator/operator.php b/src/messenger/webim/operator/operator.php index 3be44b55..8dda95a2 100644 --- a/src/messenger/webim/operator/operator.php +++ b/src/messenger/webim/operator/operator.php @@ -90,8 +90,8 @@ if (isset($_POST['login']) && isset($_POST['password'])) { update_operator($opId, $login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0); // update the session password if (!empty($password) && $opId == $operator['operatorid']) { - $toDashboard = $operator['vcpassword'] == md5('') && $password != ''; - $_SESSION["${mysqlprefix}operator"]['vcpassword'] = md5($password); + $toDashboard = check_password_hash($login, '', $operator['vcpassword']) && $password != ''; + $_SESSION["${mysqlprefix}operator"]['vcpassword'] = calculate_password_hash($login, $password); if($toDashboard) { header("Location: $webimroot/operator/index.php"); exit; @@ -138,7 +138,7 @@ $canmodify = ($opId == $operator['operatorid'] && is_capable($can_modifyprofile, $page['stored'] = isset($_GET['stored']); $page['canmodify'] = $canmodify ? "1" : ""; $page['showjabber'] = $settings['enablejabber'] == "1"; -$page['needChangePassword'] = $operator['vcpassword'] == md5(''); +$page['needChangePassword'] = check_password_hash($operator['vclogin'], '', $operator['vcpassword']); prepare_menu($operator); setup_operator_settings_tabs($opId, 0); diff --git a/src/messenger/webim/operator/resetpwd.php b/src/messenger/webim/operator/resetpwd.php index 908c39fc..b6eade11 100644 --- a/src/messenger/webim/operator/resetpwd.php +++ b/src/messenger/webim/operator/resetpwd.php @@ -49,7 +49,7 @@ if (count($errors) == 0 && isset($_POST['password'])) { $page['isdone'] = true; $link = connect(); - $query = "update ${mysqlprefix}chatoperator set vcpassword = '" . md5($password) . "', vcrestoretoken = '' where operatorid = " . intval($opId); + $query = "update ${mysqlprefix}chatoperator set vcpassword = '" . mysql_real_escape_string(calculate_password_hash($operator['vclogin'], $password), $link) . "', vcrestoretoken = '' where operatorid = " . intval($opId); perform_query($query, $link); mysql_close($link);