Use legacy_pw_verify for customer login to allow both old-style and modern hashes
Hanno Böck commited on 2024-01-24 11:44:59
Zeige 1 geänderte Dateien mit 7 Einfügungen und 6 Löschungen.
- session/checkuser.php b3f66d9..115df91
| ... | ... |
@@ -71,14 +71,15 @@ function find_role($login, $password, $i_am_admin = false) |
| 71 | 71 |
|
| 72 | 72 |
// Customer? |
| 73 | 73 |
$customerno = (int) $login; |
| 74 |
- $pass = sha1($password); |
|
| 75 |
- $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id=:customerno AND passwort=:pass", [":customerno" => $customerno, ":pass" => $pass]);
|
|
| 76 |
- if ($i_am_admin) {
|
|
| 77 |
- $result = db_query("SELECT passwort AS password FROM kundendaten.kunden WHERE status=0 AND id=?", [$customerno]);
|
|
| 78 |
- } |
|
| 79 |
- if (@$result->rowCount() > 0) {
|
|
| 74 |
+ $result = db_query("SELECT passwort FROM kundendaten.kunden WHERE status=0 AND id=:customerno", [":customerno" => $customerno]);
|
|
| 75 |
+ if ($result->rowCount() > 0) {
|
|
| 76 |
+ $pwhash = $result->fetch()['passwort']; |
|
| 77 |
+ if ($i_am_admin || legacy_pw_verify($password, $pwhash)) {
|
|
| 78 |
+ logger(LOG_INFO, "session/checkuser", "login", "logged in customer »{$customerno}«.");
|
|
| 80 | 79 |
return ROLE_CUSTOMER; |
| 81 | 80 |
} |
| 81 |
+ logger(LOG_WARNING, "session/checkuser", "login", "wrong password for existing customer »{$customerno}«.");
|
|
| 82 |
+ } |
|
| 82 | 83 |
|
| 83 | 84 |
// Sub-User |
| 84 | 85 |
|
| 85 | 86 |