From 8cb91e28dc01d08e37311dedab17f309be0e3caa Mon Sep 17 00:00:00 2001 From: Brent Pell Date: Wed, 20 Nov 2019 20:23:27 -0600 Subject: [PATCH 1/2] Fix for Issue #791 When you hit the "Update" button in the settings menu for any reason, no matter if you change anything or not, the password field in this file is updated and the slashes"" are stripped and PHP can't properly read the hashed password without the dollar signs escaped. --- lib/settings-common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/settings-common.php b/lib/settings-common.php index c6bccba..04a8548 100644 --- a/lib/settings-common.php +++ b/lib/settings-common.php @@ -164,7 +164,7 @@ define('SALT_LENGTH',12); // Generate hash function generateHash($pw) { // Generate Bcrypt hash - return str_replace("\$", "\\$", password_hash($pw, PASSWORD_BCRYPT, $options = ['cost' => 10])); + return password_hash($pw, PASSWORD_BCRYPT, $options = ['cost' => 10]); } // Verify hash From f095da874564517003f4d4064d5379f26a5d59a6 Mon Sep 17 00:00:00 2001 From: Brent Pell Date: Wed, 20 Nov 2019 20:46:31 -0600 Subject: [PATCH 2/2] Update settings-update.php --- lib/settings-update.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/settings-update.php b/lib/settings-update.php index 54e5c1a..bc21cb6 100644 --- a/lib/settings-update.php +++ b/lib/settings-update.php @@ -56,7 +56,12 @@ if (!$demoMode && isset($_SESSION['loggedIn']) && $_SESSION['loggedIn'] && isset $settingsNew .= '"'.$settingsArray[$i].'" => '; // Wrap certain values in double quotes $settingWrap = $settingsArray[$i]=="root"||$settingsArray[$i]=="password"||$settingsArray[$i]=="languageUser"||$settingsArray[$i]=="theme"||$settingsArray[$i]=="fontSize"||$settingsArray[$i]=="tagWrapperCommand"||$settingsArray[$i]=="autoComplete"||$settingsArray[$i]=="pluginPanelAligned"||$settingsArray[$i]=="githubAuthToken" ? '"' : ''; - $settingsNew .= $settingWrap.$ICEcoder[$settingsArray[$i]].$settingWrap.','.PHP_EOL; + + if ($settingsArray[$i]=="password") { + $settingsNew .= str_replace("\$", "\\$", $settingWrap.$ICEcoder[$settingsArray[$i]].$settingWrap.','.PHP_EOL); + } else { + $settingsNew .= $settingWrap.$ICEcoder[$settingsArray[$i]].$settingWrap.','.PHP_EOL; + } } // Compile our new settings