Adds random salt to user passwords (#7410).

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@4936 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-02 03:15:57 +01:00 · 2011-02-23 17:27:31 +00:00
parent 3ab981c04c
commit ce84bb1a01
6 changed files with 106 additions and 13 deletions
--- a/extra/svn/Redmine.pm
+++ b/extra/svn/Redmine.pm
@@ -148,7 +148,7 @@ sub RedmineDSN {
  my ($self, $parms, $arg) = @_;
  $self->{RedmineDSN} = $arg;
  my $query = "SELECT 
-                 hashed_password, auth_source_id, permissions
+                 hashed_password, salt, auth_source_id, permissions
              FROM members, projects, users, roles, member_roles
              WHERE 
                projects.id=members.project_id
@@ -316,11 +316,12 @@ sub is_member {
  $sth->execute($redmine_user, $project_id);

  my $ret;
-  while (my ($hashed_password, $auth_source_id, $permissions) = $sth->fetchrow_array) {
+  while (my ($hashed_password, $salt, $auth_source_id, $permissions) = $sth->fetchrow_array) {

      unless ($auth_source_id) {
-	  my $method = $r->method;
-          if ($hashed_password eq $pass_digest && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {
+	  			my $method = $r->method;
+          my $salted_password = Digest::SHA1::sha1_hex($salt.$pass_digest);
+					if ($hashed_password eq $salted_password && ((defined $read_only_methods{$method} && $permissions =~ /:browse_repository/) || $permissions =~ /:commit_access/) ) {
              $ret = 1;
              last;
          }