Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-05 17:18:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

FIX CVE-2017-7888

Browse Source
This commit is contained in:
Laurent Destailleur
2017-06-10 22:31:22 +02:00
parent 36b18f0300
commit acfaec684d
2 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
htdocs/core/login/functions_dolibarr.php
View File

@@ -60,7 +60,7 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
$sql.=') AND '.$entitycol." IN (0," . ($entity ? $entity : 1) . ")"; $sql.=') AND '.$entitycol." IN (0," . ($entity ? $entity : 1) . ")";
$sql.=' AND statut = 1'; $sql.=' AND statut = 1';
// Required to first found the user into entity, then the superadmin. // Required to first found the user into entity, then the superadmin.
// For the case (TODO and that we must avoid) a user has renamed its login with same value than a user in entity 0. // For the case (TODO and that we must avoid) a user has renamed its login with same value than a user in entity 0.
$sql.=' ORDER BY entity DESC'; $sql.=' ORDER BY entity DESC';
$resql=$db->query($sql); $resql=$db->query($sql);
@@ -78,6 +78,7 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
// Check crypted password // Check crypted password
$cryptType=''; $cryptType='';
if (! empty($conf->global->DATABASE_PWD_ENCRYPTED)) $cryptType=$conf->global->DATABASE_PWD_ENCRYPTED; if (! empty($conf->global->DATABASE_PWD_ENCRYPTED)) $cryptType=$conf->global->DATABASE_PWD_ENCRYPTED;
// By default, we used MD5 // By default, we used MD5
if (! in_array($cryptType,array('md5'))) $cryptType='md5'; if (! in_array($cryptType,array('md5'))) $cryptType='md5';
// Check crypted password according to crypt algorithm // Check crypted password according to crypt algorithm

13
htdocs/install/step5.php
View File

@@ -162,18 +162,23 @@ if ($action == "set" || empty($action) || preg_match('/upgrade/i',$action))
{ {
$conf->setValues($db); $conf->setValues($db);
// Create user // Create admin user
include_once DOL_DOCUMENT_ROOT .'/user/class/user.class.php'; include_once DOL_DOCUMENT_ROOT .'/user/class/user.class.php';
// Set default encryption to yes if there is no user yet into database // Set default encryption to yes, generate a salt and set default encryption algorythm (but only if there is no user yet into database)
$sql = "SELECT u.rowid, u.pass, u.pass_crypted"; $sql = "SELECT u.rowid, u.pass, u.pass_crypted";
$sql.= " FROM ".MAIN_DB_PREFIX."user as u"; $sql.= " FROM ".MAIN_DB_PREFIX."user as u";
//$sql.= " WHERE u.pass IS NOT NULL AND LENGTH(u.pass) < 32"; // Not a MD5 value
$resql=$db->query($sql); $resql=$db->query($sql);
if ($resql) if ($resql)
{ {
$numrows=$db->num_rows($resql); $numrows=$db->num_rows($resql);
if ($numrows == 0) dolibarr_set_const($db, "DATABASE_PWD_ENCRYPTED", "1",'chaine',0,'',$conf->entity); if ($numrows == 0)
{
// Define default setup for password encryption
dolibarr_set_const($db, "DATABASE_PWD_ENCRYPTED", "1", 'chaine', 0, '', $conf->entity);
dolibarr_set_const($db, "MAIN_SECURITY_SALT", dol_print_date(dol_now(), 'dayhourlog'), 'chaine', 0, '', 0); // All entities
dolibarr_set_const($db, "MAIN_SECURITY_HASH_ALGO", 'sha1md5', 'chaine', 0, '', 0); // All entities
}
} }
// Create user used to create the admin user // Create user used to create the admin user