From 8595b76df2fa5c0e536dd37456943162a154d4da Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Mon, 17 Nov 2014 13:10:15 +0100
Subject: [PATCH] Remove phpass and migrate to new Hasher interface
This PR removes phpass and migrates to the new Hasher interface.
Please notice that due to https://github.com/owncloud/core/issues/10671 old hashes are not updated but the hashes are backwards compatible so this shouldn't hurt.
Once the sharing classes have a possibility to update the passwords of single shares those methods should be used within the newHash if block.
---
3rdparty | 2 +-
.../lib/connector/publicauth.php | 24 +++++++++++++----
.../lib/controllers/sharecontroller.php | 1 +
apps/files_sharing/lib/helper.php | 27 ++++++++++++++-----
lib/base.php | 3 +--
lib/private/share/share.php | 4 +--
6 files changed, 43 insertions(+), 18 deletions(-)
diff --git a/3rdparty b/3rdparty
index 912a45c345..dd0e7b6dce 160000
--- a/3rdparty
+++ b/3rdparty
@@ -1 +1 @@
-Subproject commit 912a45c3458685a1105fba38a39a3a71c7348ed9
+Subproject commit dd0e7b6dcec142c790a6325b74a7c4fd3c6d7233
diff --git a/apps/files_sharing/lib/connector/publicauth.php b/apps/files_sharing/lib/connector/publicauth.php
index c9d545180b..4144dafa37 100644
--- a/apps/files_sharing/lib/connector/publicauth.php
+++ b/apps/files_sharing/lib/connector/publicauth.php
@@ -48,12 +48,26 @@ class PublicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic {
if (isset($linkItem['share_with'])) {
if ($linkItem['share_type'] == \OCP\Share::SHARE_TYPE_LINK) {
// Check Password
- $forcePortable = (CRYPT_BLOWFISH != 1);
- $hasher = new \PasswordHash(8, $forcePortable);
- if (!$hasher->CheckPassword($password . $this->config->getSystemValue('passwordsalt', ''), $linkItem['share_with'])) {
- return false;
- } else {
+ $newHash = '';
+ if(\OC::$server->getHasher()->verify($password, $linkItem['share_with'], $newHash)) {
+ /**
+ * FIXME: Migrate old hashes to new hash format
+ * Due to the fact that there is no reasonable functionality to update the password
+ * of an existing share no migration is yet performed there.
+ * The only possibility is to update the existing share which will result in a new
+ * share ID and is a major hack.
+ *
+ * In the future the migration should be performed once there is a proper method
+ * to update the share's password. (for example `$share->updatePassword($password)`
+ *
+ * @link https://github.com/owncloud/core/issues/10671
+ */
+ if(!empty($newHash)) {
+
+ }
return true;
+ } else {
+ return false;
}
} else {
return false;
diff --git a/apps/files_sharing/lib/controllers/sharecontroller.php b/apps/files_sharing/lib/controllers/sharecontroller.php
index a3d5b6d44a..4c63d7d30e 100644
--- a/apps/files_sharing/lib/controllers/sharecontroller.php
+++ b/apps/files_sharing/lib/controllers/sharecontroller.php
@@ -99,6 +99,7 @@ class ShareController extends Controller {
/**
* @PublicPage
+ * @UseSession
*
* Authenticates against password-protected shares
* @param $token
diff --git a/apps/files_sharing/lib/helper.php b/apps/files_sharing/lib/helper.php
index 3a2d51cddb..f7204a8db8 100644
--- a/apps/files_sharing/lib/helper.php
+++ b/apps/files_sharing/lib/helper.php
@@ -3,7 +3,6 @@
namespace OCA\Files_Sharing;
use OC_Config;
-use PasswordHash;
class Helper {
@@ -99,14 +98,28 @@ class Helper {
if ($password !== null) {
if ($linkItem['share_type'] == \OCP\Share::SHARE_TYPE_LINK) {
// Check Password
- $forcePortable = (CRYPT_BLOWFISH != 1);
- $hasher = new PasswordHash(8, $forcePortable);
- if (!($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''),
- $linkItem['share_with']))) {
- return false;
- } else {
+ $newHash = '';
+ if(\OC::$server->getHasher()->verify($password, $linkItem['share_with'], $newHash)) {
// Save item id in session for future requests
\OC::$server->getSession()->set('public_link_authenticated', $linkItem['id']);
+
+ /**
+ * FIXME: Migrate old hashes to new hash format
+ * Due to the fact that there is no reasonable functionality to update the password
+ * of an existing share no migration is yet performed there.
+ * The only possibility is to update the existing share which will result in a new
+ * share ID and is a major hack.
+ *
+ * In the future the migration should be performed once there is a proper method
+ * to update the share's password. (for example `$share->updatePassword($password)`
+ *
+ * @link https://github.com/owncloud/core/issues/10671
+ */
+ if(!empty($newHash)) {
+
+ }
+ } else {
+ return false;
}
} else {
\OCP\Util::writeLog('share', 'Unknown share type '.$linkItem['share_type']
diff --git a/lib/base.php b/lib/base.php
index d365a4a306..d7e4c379db 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -464,8 +464,7 @@ class OC {
// setup 3rdparty autoloader
$vendorAutoLoad = OC::$THIRDPARTYROOT . '/3rdparty/autoload.php';
if (file_exists($vendorAutoLoad)) {
- $loader = require_once $vendorAutoLoad;
- $loader->add('PasswordHash', OC::$THIRDPARTYROOT . '/3rdparty/phpass');
+ require_once $vendorAutoLoad;
} else {
OC_Response::setStatus(OC_Response::STATUS_SERVICE_UNAVAILABLE);
OC_Template::printErrorPage('Composer autoloader not found, unable to continue.');
diff --git a/lib/private/share/share.php b/lib/private/share/share.php
index b7b05dab8e..0cd715c6dd 100644
--- a/lib/private/share/share.php
+++ b/lib/private/share/share.php
@@ -627,9 +627,7 @@ class Share extends \OC\Share\Constants {
// Generate hash of password - same method as user passwords
if (!empty($shareWith)) {
- $forcePortable = (CRYPT_BLOWFISH != 1);
- $hasher = new \PasswordHash(8, $forcePortable);
- $shareWith = $hasher->HashPassword($shareWith.\OC_Config::getValue('passwordsalt', ''));
+ $shareWith = \OC::$server->getHasher()->hash($shareWith);
} else {
// reuse the already set password, but only if we change permissions
// otherwise the user disabled the password protection
--
GitLab