From ac4bcfb583e8860395b6014fe1d6b8a9c2562a84 Mon Sep 17 00:00:00 2001
From: Regis Houssin <regis@dolibarr.fr>
Date: Tue, 6 Sep 2011 06:53:52 +0000
Subject: [PATCH] Fix: use dol_hash instead md5 php function

---
 htdocs/adherents/class/adherent.class.php    | 7 +++----
 htdocs/admin/security.php                    | 4 ++--
 htdocs/core/class/html.form.class.php        | 2 +-
 htdocs/core/class/rssparser.class.php        | 2 +-
 htdocs/core/class/smtps.class.php            | 9 ++++++---
 htdocs/core/class/translate.class.php        | 2 +-
 htdocs/includes/login/functions_dolibarr.php | 2 +-
 htdocs/lib/CMailFile.class.php               | 8 ++++----
 htdocs/lib/functions.lib.php                 | 2 +-
 htdocs/lib/security.lib.php                  | 3 ++-
 htdocs/main.inc.php                          | 2 +-
 htdocs/user/class/user.class.php             | 6 +++---
 htdocs/user/passwordforgotten.php            | 2 +-
 13 files changed, 27 insertions(+), 24 deletions(-)

diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php
index 48f9a089747..d88d9a0facb 100644
--- a/htdocs/adherents/class/adherent.class.php
+++ b/htdocs/adherents/class/adherent.class.php
@@ -759,9 +759,8 @@ class Adherent extends CommonObject
         // Cryptage mot de passe
         if ($isencrypted)
         {
-            // Crypte avec systeme encodage par defaut du PHP
-            //$sqlpass = crypt($password, makesalt());
-            $password_indatabase = md5($password);
+            // Encryption
+            $password_indatabase = dol_hash($password);
         }
         else
         {
@@ -1400,7 +1399,7 @@ class Adherent extends CommonObject
         defined('ADHERENT_SPIP_PASS') && ADHERENT_SPIP_PASS != '' &&
         defined('ADHERENT_SPIP_DB') && ADHERENT_SPIP_DB != ''
         ){
-            $mdpass=md5($this->pass);
+            $mdpass=dol_hash($this->pass);
             $htpass=crypt($this->pass,makesalt());
             $query = "INSERT INTO spip_auteurs (nom, email, login, pass, htpass, alea_futur, statut) VALUES(\"".$this->prenom." ".$this->nom."\",\"".$this->email."\",\"".$this->login."\",\"$mdpass\",\"$htpass\",FLOOR(32000*RAND()),\"1comite\")";
             //      $mydb=new Db('mysql',ADHERENT_SPIP_SERVEUR,ADHERENT_SPIP_USER,ADHERENT_SPIP_PASS,ADHERENT_SPIP_DB);
diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php
index 454239eb02b..8399c46a34b 100644
--- a/htdocs/admin/security.php
+++ b/htdocs/admin/security.php
@@ -74,10 +74,10 @@ if ($_GET["action"] == 'activate_encrypt')
         while ($i < $numrows)
         {
             $obj=$db->fetch_object($resql);
-            if (md5($obj->pass))
+            if (dol_hash($obj->pass))
             {
                 $sql = "UPDATE ".MAIN_DB_PREFIX."user";
-                $sql.= " SET pass_crypted = '".md5($obj->pass)."', pass = NULL";
+                $sql.= " SET pass_crypted = '".dol_hash($obj->pass)."', pass = NULL";
                 $sql.= " WHERE rowid=".$obj->rowid;
                 //print $sql;
 
diff --git a/htdocs/core/class/html.form.class.php b/htdocs/core/class/html.form.class.php
index a3598631489..e9a2241021a 100644
--- a/htdocs/core/class/html.form.class.php
+++ b/htdocs/core/class/html.form.class.php
@@ -3476,7 +3476,7 @@ class Form
                 {
                     global $dolibarr_main_url_root;
                     $ret.='<!-- Put link to gravatar -->';
-                    $ret.='<img alt="Photo found on Gravatar" title="Photo Gravatar.com - email '.$email.'" border="0" width="'.$width.'" src="http://www.gravatar.com/avatar/'.md5($email).'?s='.$width.'&d='.urlencode( dol_buildpath('/theme/common/nophoto.jpg',2) ).'">';
+                    $ret.='<img alt="Photo found on Gravatar" title="Photo Gravatar.com - email '.$email.'" border="0" width="'.$width.'" src="http://www.gravatar.com/avatar/'.dol_hash($email).'?s='.$width.'&d='.urlencode( dol_buildpath('/theme/common/nophoto.jpg',2) ).'">';
                 }
                 else
                 {
diff --git a/htdocs/core/class/rssparser.class.php b/htdocs/core/class/rssparser.class.php
index fbe033ec3a6..22bd31910dc 100755
--- a/htdocs/core/class/rssparser.class.php
+++ b/htdocs/core/class/rssparser.class.php
@@ -90,7 +90,7 @@ class RssParser
 	    }
 
 		$this->_urlRSS = $urlRSS;
-	    $newpathofdestfile=$cachedir.'/'.md5($this->_urlRSS);
+	    $newpathofdestfile=$cachedir.'/'.dol_hash($this->_urlRSS);
 		$newmask='0644';
 
 		//dol_syslog("RssPArser::parser parse url=".$urlRSS." => cache file=".$newpathofdestfile);
diff --git a/htdocs/core/class/smtps.class.php b/htdocs/core/class/smtps.class.php
index f4a8c4008a8..e38891a236e 100755
--- a/htdocs/core/class/smtps.class.php
+++ b/htdocs/core/class/smtps.class.php
@@ -1932,7 +1932,7 @@ class SMTPs
         $this->_msgContent[$strType]['data']     = $strContent;
 
         if ( $this->getMD5flag() )
-        $this->_msgContent[$strType]['md5']      = md5($strContent);
+        $this->_msgContent[$strType]['md5']      = dol_hash($strContent);
         //}
     }
 
@@ -2114,7 +2114,7 @@ class SMTPs
             $this->_msgContent['attachment'][$strFileName]['data']     = $strContent;
 
             if ( $this->getMD5flag() )
-            $this->_msgContent['attachment'][$strFileName]['md5']      = md5($strContent);
+            $this->_msgContent['attachment'][$strFileName]['md5']      = dol_hash($strContent);
         }
     }
 
@@ -2144,7 +2144,7 @@ class SMTPs
             $this->_msgContent['image'][$strImageName]['data']     = $strContent;
 
             if ( $this->getMD5flag() )
-            $this->_msgContent['image'][$strFileName]['md5']      = md5($strContent);
+            $this->_msgContent['image'][$strFileName]['md5']      = dol_hash($strContent);
         }
     }
     // END DOL_CHANGE LDR
@@ -2519,6 +2519,9 @@ class SMTPs
 
 /**
  * $Log: smtps.class.php,v $
+ * Revision 1.2  2011/09/06 06:53:53  hregis
+ * Fix: use dol_hash instead md5 php function
+ *
  * Revision 1.1  2011/09/03 00:14:27  eldy
  * Doxygen
  *
diff --git a/htdocs/core/class/translate.class.php b/htdocs/core/class/translate.class.php
index f1f707a658f..cf969c828ac 100644
--- a/htdocs/core/class/translate.class.php
+++ b/htdocs/core/class/translate.class.php
@@ -216,7 +216,7 @@ class Translate {
 				// Using a memcached server
 				if (! empty($conf->memcached->enabled) && ! empty($conf->global->MEMCACHED_SERVER))
 				{
-					$usecachekey=$newdomain.'_'.$langofdir.'_'.md5($file_lang);    // Should not contains special chars
+					$usecachekey=$newdomain.'_'.$langofdir.'_'.dol_hash($file_lang);    // Should not contains special chars
 				}
 				// Using cache with shmop. Speed gain: 40ms - Memory overusage: 200ko (Size of session cache file)
 				else if (isset($conf->global->MAIN_OPTIMIZE_SPEED) && ($conf->global->MAIN_OPTIMIZE_SPEED & 0x02))
diff --git a/htdocs/includes/login/functions_dolibarr.php b/htdocs/includes/login/functions_dolibarr.php
index f328846d1be..28c93cc7319 100644
--- a/htdocs/includes/login/functions_dolibarr.php
+++ b/htdocs/includes/login/functions_dolibarr.php
@@ -71,7 +71,7 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
 				// Check crypted password according to crypt algorithm
 				if ($cryptType == 'md5')
 				{
-					if (md5($passtyped) == $passcrypted)
+					if (dol_hash($passtyped) == $passcrypted)
 					{
 						$passok=true;
 						dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ok - ".$cryptType." of pass is ok");
diff --git a/htdocs/lib/CMailFile.class.php b/htdocs/lib/CMailFile.class.php
index 307c2f7391c..9c2a1059e91 100644
--- a/htdocs/lib/CMailFile.class.php
+++ b/htdocs/lib/CMailFile.class.php
@@ -107,13 +107,13 @@ class CMailFile
 		//if (preg_match('/^mac/i',PHP_OS)) $this->eol="\r";
 
 		// On defini mixed_boundary
-		$this->mixed_boundary = md5(uniqid("dolibarr1"));
+		$this->mixed_boundary = dol_hash(uniqid("dolibarr1"));
 
 		// On defini related_boundary
-		$this->related_boundary = md5(uniqid("dolibarr2"));
+		$this->related_boundary = dol_hash(uniqid("dolibarr2"));
 
 		// On defini alternative_boundary
-		$this->alternative_boundary = md5(uniqid("dolibarr3"));
+		$this->alternative_boundary = dol_hash(uniqid("dolibarr3"));
 
 		// If ending method not defined
 		if (empty($conf->global->MAIN_MAIL_SENDMODE)) $conf->global->MAIN_MAIL_SENDMODE='mail';
@@ -884,7 +884,7 @@ class CMailFile
 						$this->html_images[$i]["content_type"] = $this->image_types[$ext];
 
 						// cid
-						$this->html_images[$i]["cid"] = md5(uniqid(time()));
+						$this->html_images[$i]["cid"] = dol_hash(uniqid(time()));
 						$this->html = preg_replace("/src=\"$src\"|src='$src'/i", "src=\"cid:".$this->html_images[$i]["cid"]."\"", $this->html);
 					}
 					$i++;
diff --git a/htdocs/lib/functions.lib.php b/htdocs/lib/functions.lib.php
index c5f2144ce8c..7d6fc9f3fd1 100644
--- a/htdocs/lib/functions.lib.php
+++ b/htdocs/lib/functions.lib.php
@@ -92,7 +92,7 @@ function GETPOST($paramname,$check='',$method=0)
  */
 function dol_getprefix()
 {
-    return md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].DOL_DOCUMENT_ROOT.DOL_URL_ROOT);
+    return dol_hash($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].DOL_DOCUMENT_ROOT.DOL_URL_ROOT);
 }
 
 /**
diff --git a/htdocs/lib/security.lib.php b/htdocs/lib/security.lib.php
index 5054ab389b5..a5f3f787fbf 100644
--- a/htdocs/lib/security.lib.php
+++ b/htdocs/lib/security.lib.php
@@ -467,9 +467,10 @@ function getRandomPassword($generic=false)
  * 	Returns a hash of a string
  * 	@param 	chain	String to hash
  * 	@param	type	Type of hash (0:md5, 1:sha1, 2:sha1+md5)
+ * 	@param	salt	Salt
  * 	@return	hash	hash of string
  */
-function dol_hash($chain,$type=0)
+function dol_hash($chain,$type=0,$salt='')
 {
 	if ($type == 1) return sha1($chain);
 	else if ($type == 2) return sha1(md5($chain));
diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index c98166657f9..d3d8c9169a0 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -244,7 +244,7 @@ if ((! empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_V
 // Creation of a token against CSRF vulnerabilities
 if (! defined('NOTOKENRENEWAL'))
 {
-	$token = md5(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire
+	$token = dol_hash(uniqid(mt_rand(),TRUE)); // Genere un hash d'un nombre aleatoire
 	// roulement des jetons car cree a chaque appel
 	if (isset($_SESSION['newtoken'])) $_SESSION['token'] = $_SESSION['newtoken'];
 	$_SESSION['newtoken'] = $token;
diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php
index 19bc77bea58..00a70f7d66c 100644
--- a/htdocs/user/class/user.class.php
+++ b/htdocs/user/class/user.class.php
@@ -1041,7 +1041,7 @@ class User extends CommonObject
 		$this->phenix_login = trim($this->phenix_login);
 		if ($this->phenix_pass != $this->phenix_pass_crypted)
 		{
-			$this->phenix_pass  = md5(trim($this->phenix_pass));
+			$this->phenix_pass  = dol_hash(trim($this->phenix_pass));
 		}
 		$this->admin        = $this->admin?$this->admin:0;
 
@@ -1243,7 +1243,7 @@ class User extends CommonObject
 		}
 
 		// Crypte avec md5
-		$password_crypted = md5($password);
+		$password_crypted = dol_hash($password);
 
 		// Mise a jour
 		if (! $changelater)
@@ -1409,7 +1409,7 @@ class User extends CommonObject
 			$mesg.= $langs->trans("Password")." : $password\n\n";
 			$mesg.= "\n";
 			$mesg.= "You must click on the folowing link to validate its change.\n";
-			$url = $urlwithouturlroot.DOL_URL_ROOT.'/user/passwordforgotten.php?action=validatenewpassword&username='.$this->login."&passwordmd5=".md5($password);
+			$url = $urlwithouturlroot.DOL_URL_ROOT.'/user/passwordforgotten.php?action=validatenewpassword&username='.$this->login."&passwordmd5=".dol_hash($password);
 			$mesg.= $url."\n\n";
 			$mesg.= "If you didn't ask anything, just forget this email\n\n";
 			dol_syslog("User::send_password url=".$url);
diff --git a/htdocs/user/passwordforgotten.php b/htdocs/user/passwordforgotten.php
index 3265ebade77..b3842455938 100644
--- a/htdocs/user/passwordforgotten.php
+++ b/htdocs/user/passwordforgotten.php
@@ -64,7 +64,7 @@ if ($action == 'validatenewpassword' && $username && $passwordmd5)
     }
     else
     {
-        if (md5($edituser->pass_temp) == $passwordmd5)
+        if (dol_hash($edituser->pass_temp) == $passwordmd5)
         {
             $newpassword=$edituser->setPassword($user,$edituser->pass_temp,0);
             dol_syslog("passwordforgotten.php new password for user->id=".$edituser->id." validated in database");