From: Tom Hughes Date: Tue, 14 Aug 2007 23:25:58 +0000 (+0000) Subject: Salt passwords so that two users with the same password will have X-Git-Tag: live~8233 X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/c2b377efacf76eb8b508ec9d405f02de2ad44063 Salt passwords so that two users with the same password will have different password hashes in the database. --- diff --git a/app/models/user.rb b/app/models/user.rb index bc0c9966c..ec4c2f788 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,6 +1,5 @@ class User < ActiveRecord::Base require 'xml/libxml' - require 'digest/md5' has_many :traces has_many :diary_entries, :order => 'created_at DESC' @@ -25,13 +24,16 @@ class User < ActiveRecord::Base end def encrypt_password - self.pass_crypt = Digest::MD5.hexdigest(pass_crypt) unless pass_crypt_confirmation.nil? + if pass_crypt_confirmation + self.pass_salt = OSM::make_token(8) + self.pass_crypt = OSM::encrypt_password(pass_crypt, pass_salt) + end end def self.authenticate(options) if options[:username] and options[:password] user = find(:first, :conditions => ["email = ? OR display_name = ?", options[:username], options[:username]]) - user = nil unless user.pass_crypt == Digest::MD5.hexdigest(options[:password]) + user = nil unless user.pass_crypt == OSM::encrypt_password(options[:password], user.pass_salt) elsif options[:token] token = UserToken.find(:first, :include => :user, :conditions => ["user_tokens.token = ?", options[:token]]) user = token.user if token diff --git a/lib/osm.rb b/lib/osm.rb index ea2a58164..f458c5135 100644 --- a/lib/osm.rb +++ b/lib/osm.rb @@ -12,6 +12,7 @@ module OSM require 'rexml/parsers/sax2parser' require 'rexml/text' require 'xml/libxml' + require 'digest/md5' require 'RMagick' class Mercator @@ -403,4 +404,10 @@ module OSM return token end + + # Return an encrypted version of a password + def self.encrypt_password(password, salt) + return Digest::MD5.hexdigest(password) if salt.nil? + return Digest::MD5.hexdigest(salt + password) + end end