aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cgi/manage.py51
1 files changed, 36 insertions, 15 deletions
diff --git a/cgi/manage.py b/cgi/manage.py
index 8a2c7e4..0badbd3 100644
--- a/cgi/manage.py
+++ b/cgi/manage.py
@@ -26,11 +26,9 @@ def manage(self, path_split):
# If no admin accounts available, create admin:admin
first_admin = FetchOne("SELECT 1 FROM `staff` WHERE `rights` = 0 LIMIT 1", 0)
if not first_admin:
- InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('admin', '" + _mysql.escape_string(genPasswd("admin")) + "', 0, 0)")
+ InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('admin', '" + _mysql.escape_string(genPasswdHash("admin")) + "', 0, 0)")
- password = genPasswd(self.formdata['password'])
-
- staff_account = FetchOne("SELECT * FROM `staff` WHERE `username` = '" + _mysql.escape_string(self.formdata['username']) + "' AND `password` = '" + _mysql.escape_string(password) + "' LIMIT 1")
+ staff_account = verifyPasswd(self.formdata['username'], self.formdata['password'])
if staff_account:
session_uuid = newSession(staff_account['id'])
setCookie(self, 'weabot_manage', session_uuid)
@@ -200,14 +198,11 @@ def manage(self, path_split):
if not username_taken:
if self.formdata['rights'] in ['0', '1', '2', '3']:
action_taken = True
- if not ':' in self.formdata['username']:
- password = genPasswd(self.formdata['password'])
+ password = genPasswdHash(self.formdata['password'])
- InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('" + _mysql.escape_string(self.formdata['username']) + "', '" + _mysql.escape_string(password) + "', " + str(timestamp()) + ", " + self.formdata['rights'] + ")")
- message = _('Staff member added.')
- logAction(staff_account['username'], 'Added staff account for ' + self.formdata['username'])
- else:
- message = _('The character : can not be used in usernames.')
+ InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('" + _mysql.escape_string(self.formdata['username']) + "', '" + _mysql.escape_string(password) + "', " + str(timestamp()) + ", " + self.formdata['rights'] + ")")
+ message = _('Staff member added.')
+ logAction(staff_account['username'], 'Added staff account for ' + self.formdata['username'])
template_filename = "message.html"
else:
@@ -737,9 +732,9 @@ def manage(self, path_split):
except:
pass
if form_submitted:
- if genPasswd(self.formdata['oldpassword']) == staff_account['password']:
+ if verifyPasswd(staff_account['username'], self.formdata['oldpassword']):
if self.formdata['newpassword'] == self.formdata['newpassword2']:
- UpdateDb('UPDATE `staff` SET `password` = \'' + genPasswd(self.formdata['newpassword']) + '\' WHERE `id` = ' + staff_account['id'] + ' LIMIT 1')
+ UpdateDb('UPDATE `staff` SET `password` = \'' + genPasswdHash(self.formdata['newpassword']) + '\' WHERE `id` = ' + staff_account['id'] + ' LIMIT 1')
message = _('Password successfully changed. Please log out and log back in.')
template_filename = "message.html"
else:
@@ -1897,8 +1892,34 @@ def cleanSessions():
def logAction(staff, action):
InsertDb("INSERT INTO `logs` (`timestamp`, `staff`, `action`) VALUES (" + str(timestamp()) + ", '" + _mysql.escape_string(staff) + "\', \'" + _mysql.escape_string(action) + "\')")
-def genPasswd(string):
- return getMD5(string + Settings.SECRET)
+def genPasswdHash(string):
+ import argon2
+ ph = argon2.PasswordHasher()
+
+ return ph.hash(string)
+
+def verifyPasswd(username, passwd):
+ import argon2
+ ph = argon2.PasswordHasher()
+
+ param_username = _mysql.escape_string(username)
+ staff_account = FetchOne("SELECT * FROM staff WHERE username = '%s'" % param_username)
+ if not staff_account:
+ return None
+
+ try:
+ ph.verify(staff_account['password'], passwd)
+ except argon2.exceptions.VerifyMismatchError:
+ return None
+ except argon2.exceptions.InvalidHash:
+ raise UserError, "Hash obsoleto o inválido. Por favor contacte al administrador."
+
+ if ph.check_needs_rehash(staff_account['password']):
+ param_new_hash = ph.hash(staff_acount['password'])
+ UpdateDb("UPDATE staff SET password = '%s' WHERE id = %d" %
+ (param_new_hash, staff_account['id']))
+
+ return staff_account
def boardlist():
boards = FetchAll('SELECT * FROM `boards` ORDER BY `board_type`, `dir`')