MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix: [login] Convert old password hash to blowfish

pull/6895/head
Jakub Onderka 2021-01-20 21:05:37 +01:00
parent b40d4ee160
commit 2bdd086dc4
1 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
app/Controller/UsersController.php
View File

@ -1115,6 +1115,7 @@ class UsersController extends AppController
public function login()
{
$oldHash = false;
if ($this->request->is('post') || $this->request->is('put')) {
$this->Bruteforce = ClassRegistry::init('Bruteforce');
if (!empty($this->request->data['User']['email'])) {
@ -1123,6 +1124,17 @@ class UsersController extends AppController
throw new ForbiddenException('You have reached the maximum number of login attempts. Please wait ' . $expire . ' seconds and try again.');
}
}
// Check the length of the user's authkey match old format. This can be removed in future.
$userPass = $this->User->find('first', [
'conditions' => ['User.email' => $this->request->data['User']['email']],
'fields' => ['User.password'],
'recursive' => -1,
]);
if (!empty($userPass) && strlen($userPass['User']['password']) === 40) {
$oldHash = true;
unset($this->Auth->authenticate['Form']['passwordHasher']); // use default password hasher
$this->Auth->constructAuthenticate();
}
}
if ($this->request->is('post') && Configure::read('Security.email_otp_enabled')) {
$user = $this->Auth->identify($this->request, $this->response);
@ -1135,6 +1147,13 @@ class UsersController extends AppController
$this->set('formLoginEnabled', $formLoginEnabled);
if ($this->Auth->login()) {
if ($oldHash) {
// Convert old style password hash to blowfish
$passwordToSave = $this->request->data['User']['password'];
$hasher = new BlowfishPasswordHasher();
$hashedPassword = $hasher->hash($passwordToSave);
$this->User->save(['id' => $this->Auth->user('id'), 'password' => $hashedPassword], false, ['password']);
}
$this->_postlogin();
} else {
$dataSourceConfig = ConnectionManager::getDataSource('default')->config;