From aff11a70cb8e969801f2ea59505753d14abcd233 Mon Sep 17 00:00:00 2001 From: TOW Date: Wed, 3 Apr 2019 09:29:01 -0300 Subject: manage: Implementado algoritmo argon2 para contraseñas (#4) --- cgi/manage.py | 51 ++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 15 deletions(-) (limited to 'cgi') diff --git a/cgi/manage.py b/cgi/manage.py index 8a2c7e4..0badbd3 100644 --- a/cgi/manage.py +++ b/cgi/manage.py @@ -26,11 +26,9 @@ def manage(self, path_split): # If no admin accounts available, create admin:admin first_admin = FetchOne("SELECT 1 FROM `staff` WHERE `rights` = 0 LIMIT 1", 0) if not first_admin: - InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('admin', '" + _mysql.escape_string(genPasswd("admin")) + "', 0, 0)") + InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('admin', '" + _mysql.escape_string(genPasswdHash("admin")) + "', 0, 0)") - password = genPasswd(self.formdata['password']) - - staff_account = FetchOne("SELECT * FROM `staff` WHERE `username` = '" + _mysql.escape_string(self.formdata['username']) + "' AND `password` = '" + _mysql.escape_string(password) + "' LIMIT 1") + staff_account = verifyPasswd(self.formdata['username'], self.formdata['password']) if staff_account: session_uuid = newSession(staff_account['id']) setCookie(self, 'weabot_manage', session_uuid) @@ -200,14 +198,11 @@ def manage(self, path_split): if not username_taken: if self.formdata['rights'] in ['0', '1', '2', '3']: action_taken = True - if not ':' in self.formdata['username']: - password = genPasswd(self.formdata['password']) + password = genPasswdHash(self.formdata['password']) - InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('" + _mysql.escape_string(self.formdata['username']) + "', '" + _mysql.escape_string(password) + "', " + str(timestamp()) + ", " + self.formdata['rights'] + ")") - message = _('Staff member added.') - logAction(staff_account['username'], 'Added staff account for ' + self.formdata['username']) - else: - message = _('The character : can not be used in usernames.') + InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('" + _mysql.escape_string(self.formdata['username']) + "', '" + _mysql.escape_string(password) + "', " + str(timestamp()) + ", " + self.formdata['rights'] + ")") + message = _('Staff member added.') + logAction(staff_account['username'], 'Added staff account for ' + self.formdata['username']) template_filename = "message.html" else: @@ -737,9 +732,9 @@ def manage(self, path_split): except: pass if form_submitted: - if genPasswd(self.formdata['oldpassword']) == staff_account['password']: + if verifyPasswd(staff_account['username'], self.formdata['oldpassword']): if self.formdata['newpassword'] == self.formdata['newpassword2']: - UpdateDb('UPDATE `staff` SET `password` = \'' + genPasswd(self.formdata['newpassword']) + '\' WHERE `id` = ' + staff_account['id'] + ' LIMIT 1') + UpdateDb('UPDATE `staff` SET `password` = \'' + genPasswdHash(self.formdata['newpassword']) + '\' WHERE `id` = ' + staff_account['id'] + ' LIMIT 1') message = _('Password successfully changed. Please log out and log back in.') template_filename = "message.html" else: @@ -1897,8 +1892,34 @@ def cleanSessions(): def logAction(staff, action): InsertDb("INSERT INTO `logs` (`timestamp`, `staff`, `action`) VALUES (" + str(timestamp()) + ", '" + _mysql.escape_string(staff) + "\', \'" + _mysql.escape_string(action) + "\')") -def genPasswd(string): - return getMD5(string + Settings.SECRET) +def genPasswdHash(string): + import argon2 + ph = argon2.PasswordHasher() + + return ph.hash(string) + +def verifyPasswd(username, passwd): + import argon2 + ph = argon2.PasswordHasher() + + param_username = _mysql.escape_string(username) + staff_account = FetchOne("SELECT * FROM staff WHERE username = '%s'" % param_username) + if not staff_account: + return None + + try: + ph.verify(staff_account['password'], passwd) + except argon2.exceptions.VerifyMismatchError: + return None + except argon2.exceptions.InvalidHash: + raise UserError, "Hash obsoleto o inválido. Por favor contacte al administrador." + + if ph.check_needs_rehash(staff_account['password']): + param_new_hash = ph.hash(staff_acount['password']) + UpdateDb("UPDATE staff SET password = '%s' WHERE id = %d" % + (param_new_hash, staff_account['id'])) + + return staff_account def boardlist(): boards = FetchAll('SELECT * FROM `boards` ORDER BY `board_type`, `dir`') -- cgit v1.2.1-18-gbd029