From c2b377efacf76eb8b508ec9d405f02de2ad44063 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 14 Aug 2007 23:25:58 +0000 Subject: [PATCH] Salt passwords so that two users with the same password will have different password hashes in the database. --- app/models/user.rb | 8 +++++--- lib/osm.rb | 7 +++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/app/models/user.rb b/app/models/user.rb index bc0c9966c..ec4c2f788 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1,6 +1,5 @@ class User < ActiveRecord::Base require 'xml/libxml' - require 'digest/md5' has_many :traces has_many :diary_entries, :order => 'created_at DESC' @@ -25,13 +24,16 @@ class User < ActiveRecord::Base end def encrypt_password - self.pass_crypt = Digest::MD5.hexdigest(pass_crypt) unless pass_crypt_confirmation.nil? + if pass_crypt_confirmation + self.pass_salt = OSM::make_token(8) + self.pass_crypt = OSM::encrypt_password(pass_crypt, pass_salt) + end end def self.authenticate(options) if options[:username] and options[:password] user = find(:first, :conditions => ["email = ? OR display_name = ?", options[:username], options[:username]]) - user = nil unless user.pass_crypt == Digest::MD5.hexdigest(options[:password]) + user = nil unless user.pass_crypt == OSM::encrypt_password(options[:password], user.pass_salt) elsif options[:token] token = UserToken.find(:first, :include => :user, :conditions => ["user_tokens.token = ?", options[:token]]) user = token.user if token diff --git a/lib/osm.rb b/lib/osm.rb index ea2a58164..f458c5135 100644 --- a/lib/osm.rb +++ b/lib/osm.rb @@ -12,6 +12,7 @@ module OSM require 'rexml/parsers/sax2parser' require 'rexml/text' require 'xml/libxml' + require 'digest/md5' require 'RMagick' class Mercator @@ -403,4 +404,10 @@ module OSM return token end + + # Return an encrypted version of a password + def self.encrypt_password(password, salt) + return Digest::MD5.hexdigest(password) if salt.nil? + return Digest::MD5.hexdigest(salt + password) + end end -- 2.39.5