summaryrefslogtreecommitdiffstats
path: root/web/html
diff options
context:
space:
mode:
authorLukas Fleischer <lfleischer@archlinux.org>2017-02-24 19:52:28 +0100
committerLukas Fleischer <lfleischer@archlinux.org>2017-02-24 22:04:49 +0100
commit29a48708bb7c3e00e80275a6b898f557f63dff69 (patch)
treec1b4f3ec1e5caffaacb796916e5bdb89b5cb19ff /web/html
parent31754909b1ebbc2a50f1faecbb0cf5058953b840 (diff)
downloadaur-29a48708bb7c3e00e80275a6b898f557f63dff69.tar.gz
aur-29a48708bb7c3e00e80275a6b898f557f63dff69.tar.xz
Use bcrypt to hash passwords
Replace the default hash function used for storing passwords by password_hash() which internally uses bcrypt. Legacy MD5 hashes are still supported and are immediately converted to the new format when a user logs in. Since big parts of the authentication system needed to be rewritten in this context, this patch also includes some simplification and refactoring of all code related to password checking and resetting. Fixes FS#52297. Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
Diffstat (limited to 'web/html')
-rw-r--r--web/html/passreset.php5
1 files changed, 1 insertions, 4 deletions
diff --git a/web/html/passreset.php b/web/html/passreset.php
index cb2f6bcd..e89967d4 100644
--- a/web/html/passreset.php
+++ b/web/html/passreset.php
@@ -34,10 +34,7 @@ if (isset($_GET['resetkey'], $_POST['email'], $_POST['password'], $_POST['confir
}
if (empty($error)) {
- $salt = generate_salt();
- $hash = salted_hash($password, $salt);
-
- $error = password_reset($hash, $salt, $resetkey, $email);
+ $error = password_reset($password, $resetkey, $email);
}
} elseif (isset($_POST['email'])) {
$email = $_POST['email'];