From 5bfb51c0ecb341a9851c35d91bbbf2ee5bd92459 Mon Sep 17 00:00:00 2001
From: plegall <plg@piwigo.org>
Date: Sun, 20 Dec 2015 21:36:42 +0100
Subject: PHP7 compatibility, use PasswordHash from Wordpress 4.4 (PHP5+
 constructor)

---
 include/passwordhash.class.php | 57 +++++++++++++++++++++++++++++-------------
 1 file changed, 40 insertions(+), 17 deletions(-)

(limited to 'include')

diff --git a/include/passwordhash.class.php b/include/passwordhash.class.php
index 84447b277..8b8b11319 100644
--- a/include/passwordhash.class.php
+++ b/include/passwordhash.class.php
@@ -1,18 +1,18 @@
 <?php
-#
-# Portable PHP password hashing framework.
-#
-# Version 0.3 / genuine.
+/**
+ * Portable PHP password hashing framework.
+ * @package phpass
+ * @since 2.5.0
+ * @version 0.3 / WordPress
+ * @link http://www.openwall.com/phpass/
+ */
+
 #
 # Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
 # the public domain.  Revised in subsequent years, still public domain.
 #
 # There's absolutely no warranty.
 #
-# The homepage URL for this framework is:
-#
-#	http://www.openwall.com/phpass/
-#
 # Please be sure to update the Version line if you edit this file in any way.
 # It is suggested that you leave the main version number intact, but indicate
 # your project name (after the slash) and add your own revision information.
@@ -24,13 +24,25 @@
 # Obviously, since this code is in the public domain, the above are not
 # requirements (there can be none), but merely suggestions.
 #
+
+/**
+ * Portable PHP password hashing framework.
+ *
+ * @package phpass
+ * @version 0.3 / WordPress
+ * @link http://www.openwall.com/phpass/
+ * @since 2.5.0
+ */
 class PasswordHash {
 	var $itoa64;
 	var $iteration_count_log2;
 	var $portable_hashes;
 	var $random_state;
 
-	function PasswordHash($iteration_count_log2, $portable_hashes)
+	/**
+	 * PHP5 constructor.
+	 */
+	function __construct( $iteration_count_log2, $portable_hashes )
 	{
 		$this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
 
@@ -40,15 +52,20 @@ class PasswordHash {
 
 		$this->portable_hashes = $portable_hashes;
 
-		$this->random_state = microtime();
-		if (function_exists('getmypid'))
-			$this->random_state .= getmypid();
+		$this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compatibility reasons
+	}
+
+	/**
+	 * PHP4 constructor.
+	 */
+	public function PasswordHash( $iteration_count_log2, $portable_hashes ) {
+		self::__construct( $iteration_count_log2, $portable_hashes );
 	}
 
 	function get_random_bytes($count)
 	{
 		$output = '';
-		if (@is_readable('/dev/urandom') &&
+		if ( @is_readable('/dev/urandom') &&
 		    ($fh = @fopen('/dev/urandom', 'rb'))) {
 			$output = fread($fh, $count);
 			fclose($fh);
@@ -207,6 +224,10 @@ class PasswordHash {
 
 	function HashPassword($password)
 	{
+		if ( strlen( $password ) > 4096 ) {
+			return '*';
+		}
+
 		$random = '';
 
 		if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
@@ -242,12 +263,14 @@ class PasswordHash {
 
 	function CheckPassword($password, $stored_hash)
 	{
+		if ( strlen( $password ) > 4096 ) {
+			return false;
+		}
+
 		$hash = $this->crypt_private($password, $stored_hash);
 		if ($hash[0] == '*')
 			$hash = crypt($password, $stored_hash);
 
-		return $hash == $stored_hash;
+		return $hash === $stored_hash;
 	}
-}
-
-?>
+}
\ No newline at end of file
-- 
cgit v1.2.3