[Xfce4-commits] <forum:master> Changes to handle the old SMF password in the database.

Fri Nov 12 18:12:03 CET 2010

Updating branch refs/heads/master
         to 18dad3133645c36de454db68fd575238f08b6505 (commit)
       from 0b1b8a83d3315f687b6ee8a4c69f5b4e8a13f984 (commit)

commit 18dad3133645c36de454db68fd575238f08b6505
Author: Nick Schermer <nick at xfce.org>
Date:   Fri Nov 12 17:04:52 2010 +0100

    Changes to handle the old SMF password in the database.
    
    If a FluxBB password fails, we look if the password
    looks like a SMF 1.0 or 1.1 password; if so, we replace the
    SMF password with a FluxBB hash if the user succesfully
    authorized.

 login.php |   46 ++++++++++++++++++++++++++++++++--------------
 1 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/login.php b/login.php
index 0f899c4..83236c0 100644
--- a/login.php
+++ b/login.php
@@ -16,6 +16,11 @@ require PUN_ROOT.'include/common.php';
 // Load the login.php language file
 require PUN_ROOT.'lang/'.$pun_user['language'].'/login.php';
 
+function un_htmlspecialchars($string)
+{
+	return strtr($string, array_flip(get_html_translation_table(HTML_SPECIALCHARS, ENT_QUOTES)) + array(''' => '\'', ' ' => ' '));
+}
+
 $action = isset($_GET['action']) ? $_GET['action'] : null;
 
 if (isset($_POST['form_sent']) && $action == 'in')
@@ -30,34 +35,47 @@ if (isset($_POST['form_sent']) && $action == 'in')
 	$cur_user = $db->fetch_assoc($result);
 
 	$authorized = false;
+	$update_db_password = false;
 
 	if (!empty($cur_user['password']))
 	{
-		$form_password_hash = pun_hash($form_password); // Will result in a SHA-1 hash
+		// Will result in a SHA-1 hash
+		$form_password_hash = pun_hash($form_password);
 
-		// If there is a salt in the database we have upgraded from 1.3-legacy though havent yet logged in
-		if (!empty($cur_user['salt']))
+		if (strlen($cur_user['password']) != 40)
 		{
-			if (sha1($cur_user['salt'].sha1($form_password)) == $cur_user['password']) // 1.3 used sha1(salt.sha1(pass))
+			// Old SMF 1.0.x password
+			if (md5($form_password) == $cur_user['password'])
 			{
 				$authorized = true;
-
-				$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\', salt=NULL WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
+				$update_db_password = true;
 			}
 		}
-		// If the length isn't 40 then the password isn't using sha1, so it must be md5 from 1.2
-		else if (strlen($cur_user['password']) != 40)
+		else
 		{
-			if (md5($form_password) == $cur_user['password'])
+			if ($cur_user['password'] == $form_password_hash)
 			{
+				// New FluxBB password
 				$authorized = true;
-
-				$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\' WHERE id='.$cur_user['id']) or error('Unable to update user password', __FILE__, __LINE__, $db->error());
+			}
+			else
+			{
+				// Old SMF 1.1.x password
+				$smf_password_hash = sha1(strtolower($form_username) . un_htmlspecialchars(stripslashes($form_password)));
+				if ($cur_user['password'] == $smf_password_hash)
+				{
+					$authorized = true;
+					$update_db_password = true;
+				}
 			}
 		}
-		// Otherwise we should have a normal sha1 password
-		else
-			$authorized = ($cur_user['password'] == $form_password_hash);
+
+		if ($authorized && $update_db_password)
+		{
+			// Replace the SMF password with an FluxBB password
+			$db->query('UPDATE '.$db->prefix.'users SET password=\''.$form_password_hash.'\', salt=NULL WHERE id='.$cur_user['id']) 
+				or error('Unable to update user password', __FILE__, __LINE__, $db->error());
+		}
 	}
 
 	if (!$authorized)

