From 93ac857bd24b68b820140c68ab38af702728e5b7 Mon Sep 17 00:00:00 2001 From: Lars Kneschke Date: Sun, 29 May 2005 08:03:01 +0000 Subject: [PATCH] as any of the user supplied password and the stored password can be md5 or clear text, we convert both to md5 and compare always the md5 hashs --- setup/inc/class.setup.inc.php | 41 +++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/setup/inc/class.setup.inc.php b/setup/inc/class.setup.inc.php index 9e7423a66e..d10c6f93d4 100644 --- a/setup/inc/class.setup.inc.php +++ b/setup/inc/class.setup.inc.php @@ -285,26 +285,43 @@ return False; } - // returns True if user and pw match, if conf_pw is a md5 ONLY compare with md5($pw) and NOT the plaintext !!! + /** + * check if username and password is valid + * + * this function compares the supplied and stored username and password + * as any of the passwords can be clear text or md5 we convert them to md5 + * internal and compare always the md5 hashs + * + * @param string $user the user supplied username + * @param string $pw the user supplied password + * @param string $conf_user the configured username + * @param string $conf_pw the configured password + * @returns bool + */ + function check_auth($user,$pw,$conf_user,$conf_pw) { - //echo "

setup::check_auth('$user','$pw','$conf_user','$conf_pw')

\n"; + #echo "

setup::check_auth('$user','$pw','$conf_user','$conf_pw')

\n";exit; if ($user != $conf_user) { return False; // wrong username } - if (preg_match('/^[0-9a-f]{32}$/',$conf_pw)) // $conf_pw is a md5 - { - /* Verify that $pw is not already encoded as md5 (new cookie 5-15-2005 - Milosch) */ - if(!preg_match('/^[0-9a-f]{32}$/',$pw)) - { - /* No? Make it so. */ - $pw = md5($pw); - } - } - //echo "

setup::check_auth: ('$pw' == '$conf_pw') == ".(int)($pw == $conf_pw)."

\n"; + // Verify that $pw is not already encoded as md5 + if(!preg_match('/^[0-9a-f]{32}$/',$conf_pw)) + { + $conf_pw = md5($conf_pw); + } + + + // Verify that $pw is not already encoded as md5 + if(!preg_match('/^[0-9a-f]{32}$/',$pw)) + { + $pw = md5($pw); + } + return $pw == $conf_pw; + } function checkip($remoteip='')