Changeset 2942064
- Timestamp:
- 07/23/2023 11:11:41 AM (13 months ago)
- Location:
- password-hash
- Files:
-
- 7 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
password-hash/trunk/composer.json
r2149096 r2942064 8 8 { 9 9 "name": "Ayesh Karunaratne", 10 "email": "ayesh@aye sh.me",11 "homepage": "https://aye sh.me"10 "email": "ayesh@aye", 11 "homepage": "https://aye" 12 12 } 13 13 ], … … 17 17 }, 18 18 "require": { 19 "php": ">= 5.5.0",19 "php": ">=.0", 20 20 "composer/installers": "~1.0" 21 21 }, … … 24 24 "Ayesh\\WP_PasswordHash\\": "src/" 25 25 }, 26 "files": ["wp-php-password-hash.php"] 26 "files": [ 27 "wp-php-password-hash.php" 28 ] 27 29 } 28 30 } -
password-hash/trunk/readme.txt
r2714540 r2942064 1 === PHP Native password hash ===1 === PHP Native ash === 2 2 Contributors: ayeshrajans 3 3 Tags: password, password hashing, password_hash, bcrypt, argon2, argon2i, argon2id, sodium, password security, security 4 Requires at least: 3.9.25 Tested up to: 6. 06 Stable tag: 2.17 Requires PHP: 5.54 Requires at least: .2 5 Tested up to: 6. 6 Stable tag: 7 Requires PHP: 8 8 License: GPLv2 or later 9 9 License URI: https://www.gnu.org/licenses/gpl-2.0.html … … 22 22 * PHP might come up with newer password hashing algorithms, and they will be automatically supported without having to reset all the passwords. 23 23 24 This plugin was made initially because one of our applications used Word press for authentication, but we needed to use an external system25 to verify the passwords directly from the database too. Since Word press has its own password hashing algorithm, we decided to make this plugin to address that problem.26 With this plugin, passwords generated by both Word press and other custom applications now use the PHP's default `password_hash()` functions without compromising any of the applicationssecurity.24 This plugin was made initially because one of our applications used Wordress for authentication, but we needed to use an external system 25 to verify the passwords directly from the database too. Since Wordress has its own password hashing algorithm, we decided to make this plugin to address that problem. 26 With this plugin, passwords generated by both Word security. 27 27 28 28 == Installation == … … 50 50 The easiest way would be to check your database from PHPMyAdmin or any other software in its line. Check if the password 51 51 hash field in your users table has the format `$2y$10...`. Those who have not updated their hashes will have a different 52 format. However, if the plugin is unable to override the password hashing algorithm from Word press core, you will see a52 format. However, if the plugin is unable to override the password hashing algorithm from Wordress core, you will see a 53 53 notification in your dashboard. If you do not see anything, you are golden. 54 54 … … 60 60 Open your `wp-config.php` file at the root of your WordPress site, and find the line that says `That's all, stop editing! Happy publishing`. 61 61 Above this line, you can configure the hashing algorithm you want this plugin to use. Note that a wrong configuration value 62 means your users will not be able to log in until you fix this configuration option. It's not recommended that you set62 means your users will not be able to login until you fix this configuration option. It's not recommended that you set 63 63 this configuration value unless you know what you are doing. 64 64 … … 104 104 105 105 = 1.2 = 106 * This plugin now requires Word press minimum version 3.9.2 the least, and uses the hash_equals() function polyfill provided by Wordpress core.106 * This plugin now requires Wordress core. 107 107 108 108 = 1.4 = 109 109 * Skipped 1.3 version because a WIP Argon2i support conflicted with the bug fix (#2). Argon2i support will be added in a future release. 110 * Fixes an error with password validation when the PasswordHash class from Word press core is not loaded. See https://github.com/Ayesh/wordpress-password-hash/pull/2110 * Fixes an error with password validation when the PasswordHash class from Wordress core is not loaded. See https://github.com/Ayesh/wordpress-password-hash/pull/2 111 111 112 112 = 1.5 = … … 118 118 Core functionality of the plugin is extracted to a separate class. This plugin aims to be as light-weight as possible, and this version cuts the main plugin file size to less than half the v1.x size. 119 119 120 There is a new namespaced PasswordHash class that is morecleaner and well-structured compared to our v1 code base.120 There is a new namespaced PasswordHash class that is cleaner and well-structured compared to our v1 code base. 121 121 122 * Fixes a bug that the hook-provided hash cost changes did not trigger a password rehash. Thanks to Steve Thomas (Sc00bz on Git hub).122 * Fixes a bug that the hook-provided hash cost changes did not trigger a password rehash. Thanks to Steve Thomas (Sc00bz on Gitub). 123 123 * Adds support for Argon2I, Argon2ID and any future hashing algorithms PHP will introduce. See the updated FAQ item on how to use the new hashing algorithms. 124 124 * Removed a helper function used to trigger an admin warning if the plugin cannot properly work. The notices are now shown with help of lambda functions (which further reduces the code bloat and load). … … 127 127 * Adds support for "WP_PASSWORD_HASH_OPTIONS" configuration option that can be set in `wp-config.php` to configure password hashing options. 128 128 * Update WordPress core "Tested up to" field to WordPress 5.6. 129 130 131 132 133 134 -
password-hash/trunk/src/PasswordHash.php
r2401236 r2942064 3 3 namespace Ayesh\WP_PasswordHash; 4 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 5 26 final class PasswordHash { 6 private $algorithm = \PASSWORD_DEFAULT;27 private $algorithm = PASSWORD_DEFAULT; 7 28 private $algorithm_options = []; 8 29 private $wpdb; 9 30 const TEXT_DOMAIN = 'password-hash'; 10 31 11 public function __construct( \wpdb $wpdb) {32 public function __construct(wpdb $wpdb) { 12 33 $this->wpdb = $wpdb; 13 34 $this->initializePasswordConfig(); … … 15 36 16 37 private function initializePasswordConfig() { 17 if ( \defined('WP_PASSWORD_HASH_ALGO')) {18 $this->algorithm = \WP_PASSWORD_HASH_ALGO;38 if (defined('WP_PASSWORD_HASH_ALGO')) { 39 $this->algorithm = WP_PASSWORD_HASH_ALGO; 19 40 20 if ( \defined('WP_PASSWORD_HASH_OPTIONS') && is_array(\WP_PASSWORD_HASH_OPTIONS)) {21 $this->algorithm_options = \WP_PASSWORD_HASH_OPTIONS;41 if (WP_PASSWORD_HASH_OPTIONS)) { 42 $this->algorithm_options = WP_PASSWORD_HASH_OPTIONS; 22 43 } 23 $this->algorithm_options = \apply_filters( 'wp_php_password_hash_options', $this->algorithm_options );44 $this->algorithm_options = apply_filters( 'wp_php_password_hash_options', $this->algorithm_options ); 24 45 } 25 46 } … … 27 48 public static function setAdminWarning($message) { 28 49 $message = __($message, self::TEXT_DOMAIN); 29 \add_action( 'admin_notices', static function () use ($message) {50 add_action( 'admin_notices', static function () use ($message) { 30 51 print "<div class='notice notice-error'><p>{$message}</p></div>"; 31 52 } … … 48 69 * 49 70 */ 50 public function checkPassword($password, $hash, $user_id = '') {71 public function checkPassword($password, $hash, $user_id = '') { 51 72 // Check if the hash uses Password API. 52 $info = \password_get_info($hash);73 $info = password_get_info($hash); 53 74 if (!empty($info['algo'])) { 54 75 return $this->checkPasswordNative($password, $hash, $user_id); … … 56 77 57 78 // Is it god forbid MD5? 58 if ( \strlen($hash) <= 32 ) {79 if ( strlen($hash) <= 32 ) { 59 80 return $this->checkPasswordMD5($password, $hash, $user_id); 60 81 } … … 71 92 */ 72 93 public function getHash($password) { 73 return \password_hash($password, $this->algorithm, $this->algorithm_options);94 return password_hash($password, $this->algorithm, $this->algorithm_options); 74 95 } 75 96 … … 87 108 $this->wpdb->update($this->wpdb->users, $fields, $conditions); 88 109 89 \wp_cache_delete( $user_id, 'users' );110 wp_cache_delete( $user_id, 'users' ); 90 111 91 112 return $hash; … … 93 114 94 115 private function checkPasswordNative($password, $hash, $user_id = '') { 95 $check = \password_verify($password, $hash);96 $rehash = \password_needs_rehash($hash, $this->algorithm, $this->algorithm_options);116 $check = password_verify($password, $hash); 117 $rehash = password_needs_rehash($hash, $this->algorithm, $this->algorithm_options); 97 118 return $this->processPasswordCheck($check, $password, $hash, $user_id, $rehash); 98 119 } 99 120 100 121 private function checkPasswordMD5($password, $hash, $user_id = '') { 101 $check = \hash_equals( $hash, \md5( $password ) );122 $check = md5( $password ) ); 102 123 return $this->processPasswordCheck($check, $password, $hash, $user_id); 103 124 } … … 107 128 108 129 if ( empty($wp_hasher) ) { 109 if( ! \class_exists('PasswordHash') ) {130 if( !class_exists('PasswordHash') ) { 110 131 require_once ABSPATH . WPINC . '/class-phpass.php'; 111 132 } … … 122 143 } 123 144 124 return \apply_filters( 'check_password', $check, $password, $hash, $user_id );145 return apply_filters( 'check_password', $check, $password, $hash, $user_id ); 125 146 } 126 147 } -
password-hash/trunk/wp-php-password-hash.php
r2151003 r2942064 1 1 <?php 2 2 /** 3 * Plugin Name: PHP native password hash4 * Version: 2.13 * Plugin Name: PHP ash 4 * Version: 5 5 * Description: Swaps out WordPress's password hashing mechanism with PHP 5.5's `password_hash()` functions set, and automatically rehashes the existing passwords on users next successful login. Provides safety against dictionary attacks, time-attacks, brute-force attacks. 6 6 * Licence: GPLv2 or later 7 7 * Author: Ayesh Karunaratne 8 * Author URI: https://aye sh.me/open-source8 * Author URI: https://aye/open-source 9 9 */ 10 11 10 12 11 13 if ( function_exists( 'wp_hash_password' ) ) { … … 20 22 * @return \Ayesh\WP_PasswordHash\PasswordHash 21 23 */ 22 function wp_password_hash_include() {24 function wp_password_hash_include() { 23 25 static $hasher; 24 26 require_once __DIR__ . '/src/PasswordHash.php'; 25 27 if ( ! $hasher ) { 26 28 global $wpdb; 27 $hasher = new \Ayesh\WP_PasswordHash\PasswordHash( $wpdb );29 $hasher = new PasswordHash( $wpdb ); 28 30 } 29 31 … … 34 36 * The function calls below override the WordPress-provided functions. 35 37 * 36 * All ofthe plugin functionality is contained in @see38 * All the plugin functionality is contained in @see 37 39 * \Ayesh\WP_PasswordHash\PasswordHash class. Check the called proxy method for 38 40 * further documentation. … … 41 43 if ( ! function_exists( 'wp_hash_password' ) && function_exists( 'password_hash' ) ) : 42 44 43 function wp_check_password( $password, $hash, $user_id = '' ) { 44 $hasher = wp_password_hash_include(); 45 return $hasher->checkPassword( $password, $hash, $user_id ); 45 function wp_check_password( $password, $hash, $user_id = '' ): bool { 46 return wp_password_hash_include()->checkPassword( $password, $hash, $user_id ); 46 47 } 47 48 48 49 function wp_hash_password( $password ) { 49 $hasher = wp_password_hash_include(); 50 return $hasher->getHash( $password ); 50 return wp_password_hash_include()->getHash( $password ); 51 51 } 52 52 53 53 function wp_set_password( $password, $user_id ) { 54 $hasher = wp_password_hash_include(); 55 return $hasher->updateHash( $password, $user_id ); 54 return wp_password_hash_include()->updateHash( $password, $user_id ); 56 55 } 57 56
Note: See TracChangeset
for help on using the changeset viewer.