diff options
author | Mario <mario@mariovavti.com> | 2021-03-22 09:50:12 +0100 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2021-03-22 09:50:12 +0100 |
commit | 13355d42f71e72c67e6cd993ee13f427a69c0eee (patch) | |
tree | 016a13c631b752023474bc7a4038efc0f62eeb59 /Zotlabs/Module | |
parent | 62fbdf3f63c4a32191af03c3d972c293541c0469 (diff) | |
download | volse-hubzilla-13355d42f71e72c67e6cd993ee13f427a69c0eee.tar.gz volse-hubzilla-13355d42f71e72c67e6cd993ee13f427a69c0eee.tar.bz2 volse-hubzilla-13355d42f71e72c67e6cd993ee13f427a69c0eee.zip |
air security: saving the password as hex string is not acceptable
Diffstat (limited to 'Zotlabs/Module')
-rw-r--r-- | Zotlabs/Module/Register.php | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/Zotlabs/Module/Register.php b/Zotlabs/Module/Register.php index 078902b72..d865b7b49 100644 --- a/Zotlabs/Module/Register.php +++ b/Zotlabs/Module/Register.php @@ -369,6 +369,16 @@ class Register extends Controller { $reonar['chan.did1'] = notags(trim($arr['nickname'])); } + if($password_result['error']) { + $msg = $password_result['message']; + notice($msg); + zar_log($msg . ' ' . $did2); + goaway('register'); + } + + $salt = random_string(32); + $password = $salt . ',' . hash('whirlpool', $salt . $password); + $reg = q("INSERT INTO register (" . "reg_flags,reg_didx,reg_did2,reg_hash,reg_created,reg_startup,reg_expires," . "reg_email,reg_pass,reg_lang,reg_atip,reg_stuff)" @@ -381,7 +391,7 @@ class Register extends Controller { dbesc($regdelay), dbesc($regexpire), dbesc($email), - dbesc(bin2hex($password)), + dbesc($password), dbesc(substr(get_best_language(),0,2)), dbesc($ip), dbesc(json_encode( $reonar )) @@ -390,7 +400,9 @@ class Register extends Controller { if ($didx == 'a') { $lid = q("SELECT reg_id FROM register WHERE reg_vital = 1 AND reg_did2 = '%s' AND reg_pass = '%s' ", - dbesc($did2), dbesc(bin2hex($password)) ); + dbesc($did2), + dbesc($password) + ); if ($lid && count($lid) == 1 ) { |