Fix: use dol_hash instead md5 php function

htdocs/adherents/class/adherent.class.php

@@ -759,9 +759,8 @@ function setPassword($user, $password='', $isencrypted=0, $notrigger=0, $nosyncu
         // Cryptage mot de passe
         if ($isencrypted)
         {
-            // Crypte avec systeme encodage par defaut du PHP
-            //$sqlpass = crypt($password, makesalt());
-            $password_indatabase = md5($password);
+            // Encryption
+            $password_indatabase = dol_hash($password);
         }
         else
         {
@@ -1400,7 +1399,7 @@ function add_to_spip()
         defined('ADHERENT_SPIP_PASS') && ADHERENT_SPIP_PASS != '' &&
         defined('ADHERENT_SPIP_DB') && ADHERENT_SPIP_DB != ''
         ){
-            $mdpass=md5($this->pass);
+            $mdpass=dol_hash($this->pass);
             $htpass=crypt($this->pass,makesalt());
             $query = "INSERT INTO spip_auteurs (nom, email, login, pass, htpass, alea_futur, statut) VALUES(\"".$this->prenom." ".$this->nom."\",\"".$this->email."\",\"".$this->login."\",\"$mdpass\",\"$htpass\",FLOOR(32000*RAND()),\"1comite\")";
             //      $mydb=new Db('mysql',ADHERENT_SPIP_SERVEUR,ADHERENT_SPIP_USER,ADHERENT_SPIP_PASS,ADHERENT_SPIP_DB);

htdocs/admin/security.php

@@ -74,10 +74,10 @@
         while ($i < $numrows)
         {
             $obj=$db->fetch_object($resql);
-            if (md5($obj->pass))
+            if (dol_hash($obj->pass))
             {
                 $sql = "UPDATE ".MAIN_DB_PREFIX."user";
-                $sql.= " SET pass_crypted = '".md5($obj->pass)."', pass = NULL";
+                $sql.= " SET pass_crypted = '".dol_hash($obj->pass)."', pass = NULL";
                 $sql.= " WHERE rowid=".$obj->rowid;
                 //print $sql;
 

htdocs/core/class/html.form.class.php

@@ -3476,7 +3476,7 @@ function showphoto($modulepart,$object,$width=100)
                 {
                     global $dolibarr_main_url_root;
                     $ret.='<!-- Put link to gravatar -->';
-                    $ret.='<img alt="Photo found on Gravatar" title="Photo Gravatar.com - email '.$email.'" border="0" width="'.$width.'" src="http://www.gravatar.com/avatar/'.md5($email).'?s='.$width.'&d='.urlencode( dol_buildpath('/theme/common/nophoto.jpg',2) ).'">';
+                    $ret.='<img alt="Photo found on Gravatar" title="Photo Gravatar.com - email '.$email.'" border="0" width="'.$width.'" src="http://www.gravatar.com/avatar/'.dol_hash($email).'?s='.$width.'&d='.urlencode( dol_buildpath('/theme/common/nophoto.jpg',2) ).'">';
                 }
                 else
                 {

htdocs/core/class/rssparser.class.php

@@ -90,7 +90,7 @@ public function parser($urlRSS, $maxNb=0, $cachedelay=60, $cachedir='')
 	    }
 
 		$this->_urlRSS = $urlRSS;
-	    $newpathofdestfile=$cachedir.'/'.md5($this->_urlRSS);
+	    $newpathofdestfile=$cachedir.'/'.dol_hash($this->_urlRSS);
 		$newmask='0644';
 
 		//dol_syslog("RssPArser::parser parse url=".$urlRSS." => cache file=".$newpathofdestfile);

htdocs/core/class/smtps.class.php

@@ -1932,7 +1932,7 @@ function setBodyContent ( $strContent, $strType = 'plain' )
         $this->_msgContent[$strType]['data']     = $strContent;
 
         if ( $this->getMD5flag() )
-        $this->_msgContent[$strType]['md5']      = md5($strContent);
+        $this->_msgContent[$strType]['md5']      = dol_hash($strContent);
         //}
     }
 
@@ -2114,7 +2114,7 @@ function setAttachment($strContent, $strFileName = 'unknown', $strMimeType = 'un
             $this->_msgContent['attachment'][$strFileName]['data']     = $strContent;
 
             if ( $this->getMD5flag() )
-            $this->_msgContent['attachment'][$strFileName]['md5']      = md5($strContent);
+            $this->_msgContent['attachment'][$strFileName]['md5']      = dol_hash($strContent);
         }
     }
 
@@ -2144,7 +2144,7 @@ function setImageInline($strContent, $strImageName = 'unknown', $strMimeType = '
             $this->_msgContent['image'][$strImageName]['data']     = $strContent;
 
             if ( $this->getMD5flag() )
-            $this->_msgContent['image'][$strFileName]['md5']      = md5($strContent);
+            $this->_msgContent['image'][$strFileName]['md5']      = dol_hash($strContent);
         }
     }
     // END DOL_CHANGE LDR
@@ -2519,6 +2519,9 @@ function getErrors()
 
 /**
  * $Log: smtps.class.php,v $
+ * Revision 1.2  2011/09/06 06:53:53  hregis
+ * Fix: use dol_hash instead md5 php function
+ *
  * Revision 1.1  2011/09/03 00:14:27  eldy
  * Doxygen
  *

htdocs/core/class/translate.class.php

@@ -216,7 +216,7 @@ function Load($domain,$alt=0,$stopafterdirection=0,$forcelangdir='')
 				// Using a memcached server
 				if (! empty($conf->memcached->enabled) && ! empty($conf->global->MEMCACHED_SERVER))
 				{
-					$usecachekey=$newdomain.'_'.$langofdir.'_'.md5($file_lang);    // Should not contains special chars
+					$usecachekey=$newdomain.'_'.$langofdir.'_'.dol_hash($file_lang);    // Should not contains special chars
 				}
 				// Using cache with shmop. Speed gain: 40ms - Memory overusage: 200ko (Size of session cache file)
 				else if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x02))

htdocs/includes/login/functions_dolibarr.php

@@ -71,7 +71,7 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
 				// Check crypted password according to crypt algorithm
 				if ($cryptType == 'md5')
 				{
-					if (md5($passtyped) == $passcrypted)
+					if (dol_hash($passtyped) == $passcrypted)
 					{
 						$passok=true;
 						dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ok - ".$cryptType." of pass is ok");

htdocs/lib/CMailFile.class.php

@@ -107,13 +107,13 @@ function CMailFile($subject,$to,$from,$msg,
 		//if (preg_match('/^mac/i',PHP_OS)) $this->eol="\r";
 
 		// On defini mixed_boundary
-		$this->mixed_boundary = md5(uniqid("dolibarr1"));
+		$this->mixed_boundary = dol_hash(uniqid("dolibarr1"));
 
 		// On defini related_boundary
-		$this->related_boundary = md5(uniqid("dolibarr2"));
+		$this->related_boundary = dol_hash(uniqid("dolibarr2"));
 
 		// On defini alternative_boundary
-		$this->alternative_boundary = md5(uniqid("dolibarr3"));
+		$this->alternative_boundary = dol_hash(uniqid("dolibarr3"));
 
 		// If ending method not defined
 		if (empty($conf->global->MAIN_MAIL_SENDMODE)) $conf->global->MAIN_MAIL_SENDMODE='mail';
@@ -884,7 +884,7 @@ function findHtmlImages($images_dir)
 						$this->html_images[$i]["content_type"] = $this->image_types[$ext];
 
 						// cid
-						$this->html_images[$i]["cid"] = md5(uniqid(time()));
+						$this->html_images[$i]["cid"] = dol_hash(uniqid(time()));
 						$this->html = preg_replace("/src=\"$src\"|src='$src'/i", "src=\"cid:".$this->html_images[$i]["cid"]."\"", $this->html);
 					}
 					$i++;

htdocs/lib/functions.lib.php

@@ -92,7 +92,7 @@ function GETPOST($paramname,$check='',$method=0)
  */
 function dol_getprefix()
 {
-    return md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].DOL_DOCUMENT_ROOT.DOL_URL_ROOT);
+    return dol_hash($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].DOL_DOCUMENT_ROOT.DOL_URL_ROOT);
 }
 
 /**

htdocs/lib/security.lib.php

@@ -467,9 +467,10 @@ function getRandomPassword($generic=false)
  * 	Returns a hash of a string
  * 	@param 	chain	String to hash
  * 	@param	type	Type of hash (0:md5, 1:sha1, 2:sha1+md5)
+ * 	@param	salt	Salt
  * 	@return	hash	hash of string
  */
-function dol_hash($chain,$type=0)
+function dol_hash($chain,$type=0,$salt='')
 {
 	if ($type == 1) return sha1($chain);
 	else if ($type == 2) return sha1(md5($chain));

htdocs/main.inc.php

@@ -244,7 +244,7 @@ function analyse_sql_and_script(&$var,$get)
 // Creation of a token against CSRF vulnerabilities
 if (! defined('NOTOKENRENEWAL'))
 {
-	$token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire
+	$token = dol_hash(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire
 	// roulement des jetons car cree a chaque appel
 	if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
 	$_SESSION['newtoken'] = $token;

htdocs/user/class/user.class.php

@@ -1041,7 +1041,7 @@ function update($user,$notrigger=0,$nosyncmember=0,$nosyncmemberpass=0)
 		$this->phenix_login = trim($this->phenix_login);
 		if ($this->phenix_pass != $this->phenix_pass_crypted)
 		{
-			$this->phenix_pass  = md5(trim($this->phenix_pass));
+			$this->phenix_pass  = dol_hash(trim($this->phenix_pass));
 		}
 		$this->admin        = $this->admin?$this->admin:0;
 
@@ -1243,7 +1243,7 @@ function setPassword($user, $password='', $changelater=0, $notrigger=0, $nosyncm
 		}
 
 		// Crypte avec md5
-		$password_crypted = md5($password);
+		$password_crypted = dol_hash($password);
 
 		// Mise a jour
 		if (! $changelater)
@@ -1409,7 +1409,7 @@ function send_password($user, $password='', $changelater=0)
 			$mesg.= $langs->trans("Password")." : $password\n\n";
 			$mesg.= "\n";
 			$mesg.= "You must click on the folowing link to validate its change.\n";
-			$url = $urlwithouturlroot.DOL_URL_ROOT.'/user/passwordforgotten.php?action=validatenewpassword&username='.$this->login."&passwordmd5=".md5($password);
+			$url = $urlwithouturlroot.DOL_URL_ROOT.'/user/passwordforgotten.php?action=validatenewpassword&username='.$this->login."&passwordmd5=".dol_hash($password);
 			$mesg.= $url."\n\n";
 			$mesg.= "If you didn't ask anything, just forget this email\n\n";
 			dol_syslog("User::send_password url=".$url);

htdocs/user/passwordforgotten.php

@@ -64,7 +64,7 @@
     }
     else
     {
-        if (md5($edituser->pass_temp) == $passwordmd5)
+        if (dol_hash($edituser->pass_temp) == $passwordmd5)
         {
             $newpassword=$edituser->setPassword($user,$edituser->pass_temp,0);
             dol_syslog("passwordforgotten.php new password for user->id=".$edituser->id." validated in database");