From 5bfb51c0ecb341a9851c35d91bbbf2ee5bd92459 Mon Sep 17 00:00:00 2001 From: plegall Date: Sun, 20 Dec 2015 21:36:42 +0100 Subject: PHP7 compatibility, use PasswordHash from Wordpress 4.4 (PHP5+ constructor) --- include/passwordhash.class.php | 57 +++++++++++++++++++++++++++++------------- 1 file changed, 40 insertions(+), 17 deletions(-) diff --git a/include/passwordhash.class.php b/include/passwordhash.class.php index 84447b277..8b8b11319 100644 --- a/include/passwordhash.class.php +++ b/include/passwordhash.class.php @@ -1,18 +1,18 @@ in 2004-2006 and placed in # the public domain. Revised in subsequent years, still public domain. # # There's absolutely no warranty. # -# The homepage URL for this framework is: -# -# http://www.openwall.com/phpass/ -# # Please be sure to update the Version line if you edit this file in any way. # It is suggested that you leave the main version number intact, but indicate # your project name (after the slash) and add your own revision information. @@ -24,13 +24,25 @@ # Obviously, since this code is in the public domain, the above are not # requirements (there can be none), but merely suggestions. # + +/** + * Portable PHP password hashing framework. + * + * @package phpass + * @version 0.3 / WordPress + * @link http://www.openwall.com/phpass/ + * @since 2.5.0 + */ class PasswordHash { var $itoa64; var $iteration_count_log2; var $portable_hashes; var $random_state; - function PasswordHash($iteration_count_log2, $portable_hashes) + /** + * PHP5 constructor. + */ + function __construct( $iteration_count_log2, $portable_hashes ) { $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; @@ -40,15 +52,20 @@ class PasswordHash { $this->portable_hashes = $portable_hashes; - $this->random_state = microtime(); - if (function_exists('getmypid')) - $this->random_state .= getmypid(); + $this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compatibility reasons + } + + /** + * PHP4 constructor. + */ + public function PasswordHash( $iteration_count_log2, $portable_hashes ) { + self::__construct( $iteration_count_log2, $portable_hashes ); } function get_random_bytes($count) { $output = ''; - if (@is_readable('/dev/urandom') && + if ( @is_readable('/dev/urandom') && ($fh = @fopen('/dev/urandom', 'rb'))) { $output = fread($fh, $count); fclose($fh); @@ -207,6 +224,10 @@ class PasswordHash { function HashPassword($password) { + if ( strlen( $password ) > 4096 ) { + return '*'; + } + $random = ''; if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) { @@ -242,12 +263,14 @@ class PasswordHash { function CheckPassword($password, $stored_hash) { + if ( strlen( $password ) > 4096 ) { + return false; + } + $hash = $this->crypt_private($password, $stored_hash); if ($hash[0] == '*') $hash = crypt($password, $stored_hash); - return $hash == $stored_hash; + return $hash === $stored_hash; } -} - -?> +} \ No newline at end of file -- cgit v1.2.3