martin: server/kolab/kolab/admin/maintainer create_maintainer.php, 1.7, 1.8
cvs at intevation.de
cvs at intevation.de
Fri Nov 28 03:01:07 CET 2003
Author: martin
Update of /kolabrepository/server/kolab/kolab/admin/maintainer
In directory doto:/tmp/cvs-serv20773/admin/maintainer
Modified Files:
create_maintainer.php
Log Message:
Martin Konold: Introduce sha1 encoded passwords instead of plain cleartext passwords in the LDAP db.
Fixes: administrators and maintainers can see the users passwords in cleartext
Fixes: users can see their own password in cleartext
Fixes: cleartext password visible in source of html when modifying user account
Please note that no user could ever see another users password and anonymous users can not see any passwords.
Last but not least OpenLDAP acl protecting the password field seems to work OK and all network traffic with passwords was always secured by SSL/TLS.
Please help us testing this new feature and report success / failure
Index: create_maintainer.php
===================================================================
RCS file: /kolabrepository/server/kolab/kolab/admin/maintainer/create_maintainer.php,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -d -r1.7 -r1.8
--- create_maintainer.php 14 Jun 2003 13:25:53 -0000 1.7
+++ create_maintainer.php 28 Nov 2003 02:01:04 -0000 1.8
@@ -208,7 +208,7 @@
}
if ($password_0 && $password_1) {
if ($password_0 == $password_1) {
- $ldap_object['userPassword'] = $password_0;
+ $ldap_object['userPassword'] = '{sha}'.base64_encode(pack("H*", sha1($password_0)));
} else {
$comment['password_1'] = "<span class=\"warning\"> Password do not match </span>";
missing_input();
More information about the commits
mailing list