Permalink
Browse files

Strengthen the random password generated when forgotten.

  • Loading branch information...
1 parent 13c7609 commit 35b7628696d374a6666e8a608ce9e9078a617a86 @haraldpdl haraldpdl committed Feb 28, 2012
View
6 catalog/includes/classes/passwordhash.php
@@ -3,7 +3,9 @@
# Portable PHP password hashing framework.
#
# Version 0.3 / genuine.
-# Version 0.3 / osCommerce (silenced @is_readable('/dev/urandom'))
+# Version 0.3 / osCommerce:
+# * Silenced @is_readable('/dev/urandom'))
+# * Added openssl_random_pseudo_bytes() to get_random_bytes()
#
# Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
# the public domain. Revised in subsequent years, still public domain.
@@ -53,6 +55,8 @@ function get_random_bytes($count)
($fh = @fopen('/dev/urandom', 'rb'))) {
$output = fread($fh, $count);
fclose($fh);
+ } elseif ( function_exists('openssl_random_pseudo_bytes') ) {
+ $output = openssl_random_pseudo_bytes($count);
}
if (strlen($output) < $count) {
View
14 catalog/includes/functions/password_funcs.php
@@ -5,7 +5,7 @@
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com
- Copyright (c) 2010 osCommerce
+ Copyright (c) 2012 osCommerce
Released under the GNU General Public License
*/
@@ -89,4 +89,16 @@ function tep_password_type($encrypted) {
return 'phpass';
}
+
+////
+// This function generates a random password
+ function tep_generate_password($length) {
+ if (!class_exists('PasswordHash')) {
+ include(DIR_WS_CLASSES . 'passwordhash.php');
+ }
+
+ $hasher = new PasswordHash(10, true);
+
+ return substr(bin2hex($hasher->get_random_bytes($length*2)), 0, $length);
+ }
?>
View
4 catalog/password_forgotten.php
@@ -5,7 +5,7 @@
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com
- Copyright (c) 2010 osCommerce
+ Copyright (c) 2012 osCommerce
Released under the GNU General Public License
*/
@@ -21,7 +21,7 @@
if (tep_db_num_rows($check_customer_query)) {
$check_customer = tep_db_fetch_array($check_customer_query);
- $new_password = tep_create_random_value(ENTRY_PASSWORD_MIN_LENGTH);
+ $new_password = tep_generate_password(12);
$crypted_password = tep_encrypt_password($new_password);
tep_db_query("update " . TABLE_CUSTOMERS . " set customers_password = '" . tep_db_input($crypted_password) . "' where customers_id = '" . (int)$check_customer['customers_id'] . "'");

0 comments on commit 35b7628

Please sign in to comment.