1 files changed, 36 insertions, 15 deletions

diff --git a/cgi/manage.py b/cgi/manage.py
index 8a2c7e4..0badbd3 100644
--- a/cgi/manage.py
+++ b/cgi/manage.py
@@ -26,11 +26,9 @@ def manage(self, path_split):
     # If no admin accounts available, create admin:admin
     first_admin = FetchOne("SELECT 1 FROM `staff` WHERE `rights` = 0 LIMIT 1", 0)
     if not first_admin:
-      InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('admin', '" + _mysql.escape_string(genPasswd("admin")) + "', 0, 0)")
+      InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('admin', '" + _mysql.escape_string(genPasswdHash("admin")) + "', 0, 0)")
 
-    password = genPasswd(self.formdata['password'])
-    
-    staff_account = FetchOne("SELECT * FROM `staff` WHERE `username` = '" + _mysql.escape_string(self.formdata['username']) + "' AND `password` = '" + _mysql.escape_string(password) + "' LIMIT 1")
+    staff_account = verifyPasswd(self.formdata['username'], self.formdata['password'])
     if staff_account:
       session_uuid = newSession(staff_account['id'])
       setCookie(self, 'weabot_manage', session_uuid)
@@ -200,14 +198,11 @@ def manage(self, path_split):
                   if not username_taken:
                     if self.formdata['rights'] in ['0', '1', '2', '3']:
                       action_taken = True
-                      if not ':' in self.formdata['username']:
-                        password = genPasswd(self.formdata['password'])
+                      password = genPasswdHash(self.formdata['password'])
 
-                        InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('" + _mysql.escape_string(self.formdata['username']) + "', '" + _mysql.escape_string(password) + "', " + str(timestamp()) + ", " + self.formdata['rights'] + ")")
-                        message = _('Staff member added.')
-                        logAction(staff_account['username'], 'Added staff account for ' + self.formdata['username'])
-                      else:
-                        message = _('The character : can not be used in usernames.')
+                      InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('" + _mysql.escape_string(self.formdata['username']) + "', '" + _mysql.escape_string(password) + "', " + str(timestamp()) + ", " + self.formdata['rights'] + ")")
+                      message = _('Staff member added.')
+                      logAction(staff_account['username'], 'Added staff account for ' + self.formdata['username'])
                       
                       template_filename = "message.html"
                   else:
@@ -737,9 +732,9 @@ def manage(self, path_split):
         except:
           pass
         if form_submitted:
-          if genPasswd(self.formdata['oldpassword']) == staff_account['password']:
+          if verifyPasswd(staff_account['username'], self.formdata['oldpassword']):
             if self.formdata['newpassword'] == self.formdata['newpassword2']:
-              UpdateDb('UPDATE `staff` SET `password` = \'' + genPasswd(self.formdata['newpassword']) + '\' WHERE `id` = ' + staff_account['id'] + ' LIMIT 1')
+              UpdateDb('UPDATE `staff` SET `password` = \'' + genPasswdHash(self.formdata['newpassword']) + '\' WHERE `id` = ' + staff_account['id'] + ' LIMIT 1')
               message = _('Password successfully changed.  Please log out and log back in.')
               template_filename = "message.html"
             else:
@@ -1897,8 +1892,34 @@ def cleanSessions():
 def logAction(staff, action):
   InsertDb("INSERT INTO `logs` (`timestamp`, `staff`, `action`) VALUES (" + str(timestamp()) + ", '" + _mysql.escape_string(staff) + "\', \'" + _mysql.escape_string(action) + "\')")
 
-def genPasswd(string):
-  return getMD5(string + Settings.SECRET)
+def genPasswdHash(string):
+  import argon2
+  ph = argon2.PasswordHasher()
+  
+  return ph.hash(string)
+
+def verifyPasswd(username, passwd):
+  import argon2
+  ph = argon2.PasswordHasher()
+  
+  param_username = _mysql.escape_string(username)
+  staff_account = FetchOne("SELECT * FROM staff WHERE username = '%s'" % param_username)
+  if not staff_account:
+    return None
+  
+  try:
+    ph.verify(staff_account['password'], passwd)
+  except argon2.exceptions.VerifyMismatchError:
+    return None
+  except argon2.exceptions.InvalidHash:
+    raise UserError, "Hash obsoleto o inválido. Por favor contacte al administrador."
+    
+  if ph.check_needs_rehash(staff_account['password']):
+    param_new_hash = ph.hash(staff_acount['password'])
+    UpdateDb("UPDATE staff SET password = '%s' WHERE id = %d" %
+      (param_new_hash, staff_account['id']))
+  
+  return staff_account
 
 def boardlist():
   boards = FetchAll('SELECT * FROM `boards` ORDER BY `board_type`, `dir`')