aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs/Module
diff options
context:
space:
mode:
authorMario <mario@mariovavti.com>2021-03-22 09:50:12 +0100
committerMario <mario@mariovavti.com>2021-03-22 09:50:12 +0100
commit13355d42f71e72c67e6cd993ee13f427a69c0eee (patch)
tree016a13c631b752023474bc7a4038efc0f62eeb59 /Zotlabs/Module
parent62fbdf3f63c4a32191af03c3d972c293541c0469 (diff)
downloadvolse-hubzilla-13355d42f71e72c67e6cd993ee13f427a69c0eee.tar.gz
volse-hubzilla-13355d42f71e72c67e6cd993ee13f427a69c0eee.tar.bz2
volse-hubzilla-13355d42f71e72c67e6cd993ee13f427a69c0eee.zip
air security: saving the password as hex string is not acceptable
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r--Zotlabs/Module/Register.php16
1 files changed, 14 insertions, 2 deletions
diff --git a/Zotlabs/Module/Register.php b/Zotlabs/Module/Register.php
index 078902b72..d865b7b49 100644
--- a/Zotlabs/Module/Register.php
+++ b/Zotlabs/Module/Register.php
@@ -369,6 +369,16 @@ class Register extends Controller {
$reonar['chan.did1'] = notags(trim($arr['nickname']));
}
+ if($password_result['error']) {
+ $msg = $password_result['message'];
+ notice($msg);
+ zar_log($msg . ' ' . $did2);
+ goaway('register');
+ }
+
+ $salt = random_string(32);
+ $password = $salt . ',' . hash('whirlpool', $salt . $password);
+
$reg = q("INSERT INTO register ("
. "reg_flags,reg_didx,reg_did2,reg_hash,reg_created,reg_startup,reg_expires,"
. "reg_email,reg_pass,reg_lang,reg_atip,reg_stuff)"
@@ -381,7 +391,7 @@ class Register extends Controller {
dbesc($regdelay),
dbesc($regexpire),
dbesc($email),
- dbesc(bin2hex($password)),
+ dbesc($password),
dbesc(substr(get_best_language(),0,2)),
dbesc($ip),
dbesc(json_encode( $reonar ))
@@ -390,7 +400,9 @@ class Register extends Controller {
if ($didx == 'a') {
$lid = q("SELECT reg_id FROM register WHERE reg_vital = 1 AND reg_did2 = '%s' AND reg_pass = '%s' ",
- dbesc($did2), dbesc(bin2hex($password)) );
+ dbesc($did2),
+ dbesc($password)
+ );
if ($lid && count($lid) == 1 ) {