From 1a9f4d3c9d7b8147230c0a816a849afdedb54901 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.spb.ru>
Date: Wed, 12 Sep 2007 04:56:22 +0100
Subject: use login as salt when generating passwords

---
 functions.php | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

(limited to 'functions.php')

diff --git a/functions.php b/functions.php
index a237aff5a..362f965a4 100644
--- a/functions.php
+++ b/functions.php
@@ -1423,16 +1423,18 @@
 
 		if (!SINGLE_USER_MODE) {
 
-			$pwd_hash = 'SHA1:' . sha1($password);
+			$pwd_hash1 = encrypt_password($password);
+			$pwd_hash2 = encrypt_password($password, $login);
 
 			if ($force_auth && defined('_DEBUG_USER_SWITCH')) {
 				$query = "SELECT id,login,access_level
 	            FROM ttrss_users WHERE
 		         login = '$login'";
 			} else {
-				$query = "SELECT id,login,access_level
+				$query = "SELECT id,login,access_level,pwd_hash
 	            FROM ttrss_users WHERE
-		         login = '$login' AND pwd_hash = '$pwd_hash'";
+					login = '$login' AND (pwd_hash = '$pwd_hash1' OR
+						pwd_hash = '$pwd_hash2')";
 			}
 
 			$result = db_query($link, $query);
@@ -1449,7 +1451,7 @@
 	
 				$_SESSION["theme"] = $user_theme;
 				$_SESSION["ip_address"] = $_SERVER["REMOTE_ADDR"];
-				$_SESSION["pwd_hash"] = $pwd_hash;
+				$_SESSION["pwd_hash"] = db_fetch_result($result, 0, "pwd_hash");
 	
 				initialize_user_prefs($link, $_SESSION["uid"]);
 	
@@ -4766,4 +4768,12 @@
 		return $url_path;
         }
 
+	function encrypt_password($pass, $login = '') {
+		if ($login) {
+			return "SHA1X:" . sha1("$login:$pass");
+		} else {
+			return "SHA1:" . sha1($pass);
+		}
+	}
+
 ?>
-- 
cgit v1.2.3-54-g00ecf