Help
Sign In
core
/
metropolis-utils
2
0
Fork 0
Files
Browse Source

Fix some small issues

nsITobin 2 years ago
parent
99fc9eb60f
commit
afd4164afc
1 changed files with 7 additions and 8 deletions
Split View Show Diff Stats
  1. 7 8
      fundamentals.php

+ 7 - 8
fundamentals.php
View File 

@@ -115,7 +115,7 @@ const REGEX_HOST            = "/[a-z0-9-\._]+\@[a-z0-9-\._]+/i";
 
 
 // --------------------------------------------------------------------------------------------------------------------
 
 
-const PASSWORD_CLEARTEXT    = "clear";
 
+const PASSWORD_CLEARTEXT    = "clrtxt";
 
 const PASSWORD_HTACCESS     = "apr1";
 
 
 const BASE64_ALPHABET       = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/';
 
@@ -732,7 +732,7 @@ function gfPasswordHash($aPassword, $aCrypt = PASSWORD_BCRYPT, $aSalt = null) {
 
       gfError($ePrefix . 'Cannot "hash" this Clear Text password because it contains a dollar sign.');
 
     }
 
 
-    return DOLLAR . PASSWORD_CLEARTEXT . DOLLAR . $aPassword;
 
+    return DOLLAR . PASSWORD_CLEARTEXT . DOLLAR . time() . DOLLAR . $aPassword;
 
   }
 
 
   // We want to be able to generate Apache APR1-MD5 hashes for use in .htpasswd situations.
 
@@ -769,7 +769,6 @@ function gfPasswordHash($aPassword, $aCrypt = PASSWORD_BCRYPT, $aSalt = null) {
 
       if ($i % 3) {
 
         $new .= $salt;
 
       }
 
-
 
       if ($i % 7) {
 
         $new .= $aPassword;
 
       }
 
@@ -805,15 +804,15 @@ function gfPasswordHash($aPassword, $aCrypt = PASSWORD_BCRYPT, $aSalt = null) {
 
 function gfPasswordVerify($aPassword, $aHash) {
 
   $ePrefix = __FUNCTION__ . DASH_SEPARATOR;
 
 
-  // We can accept a pseudo-hash for clear text passwords in the format of $clear$clear-text-password
 
+  // We can accept a pseudo-hash for clear text passwords in the format of $clrtxt$unix-epoch$clear-text-password
 
   if (str_starts_with($aHash, DOLLAR . PASSWORD_CLEARTEXT)) {
 
-    $password = gfExplodeString(DOLLAR, $aHash)[1] ?? null;
 
+    $password = gfExplodeString(DOLLAR, $aHash) ?? null;
 
 
-    if($password == null || count($password) > 2) {
 
+    if ($password == null || count($password) > 3) {
 
       gfError($ePrefix . 'Unable to "verify" this Clear Text "hashed" password.');
 
     }
 
 
-    return $aPassword === $password;
 
+    return $aPassword === $password[2];
 
   }
 
 
   // We can also accept an Apache APR1-MD5 password that is commonly used in .htpasswd
 
@@ -824,7 +823,7 @@ function gfPasswordVerify($aPassword, $aHash) {
 
       gfError($ePrefix . 'Unable to verify this Apache APR1-MD5 hashed password.');
 
     }
 
 
-    return gfPasswdHash($aPassword, PASSWORD_HTACCESS, $salt) === $aHash;
 
+    return gfPasswordHash($aPassword, PASSWORD_HTACCESS, $salt) === $aHash;
 
   }
 
 
   // For everything else send to the native password_verify function.