deblan-mirror/tinyfilemanager
deblan-mirror/tinyfilemanager
1
0
Fork 0
mirror of https://github.com/prasathmani/tinyfilemanager synced 2026-03-14 20:55:50 +01:00
Code Issues Projects Releases Wiki Activity

Merge 399b607987 into 6d1e962fc6

Browse source
This commit is contained in:
divinity76 2026-03-13 07:21:38 +00:00 committed by GitHub
commit 8beb515093
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 32 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

33
tinyfilemanager.php
View file

@ -325,13 +325,44 @@ if ($ip_ruleset != 'OFF') {
// Checking if the user is logged in or not. If not, it will show the login form.
if ($use_auth) {
function tfm_password_verify(
#[\SensitiveParameter]
string $password,
#[\SensitiveParameter]
string $hash
): bool {
// CRYPT_MD5: $1$
// CRYPT_BLOWFISH: $2a$, $2x$, $2y$
// CRYPT_SHA256: $5$
// CRYPT_SHA512: $6$
if (
strlen($hash) >= 26 // CRYPT_MD5, the weakest known algo, yield length 26 hash.
// CRYPT_STD_DES and CRYPT_EXT_DES is not supported: They're insecure 1970's algos that nobody sane has used for decades, and they're difficult to detect.
&& $hash[0] === '$'
&& (1 === strspn($hash[1], '0123456789'))
&& ($hash[2] === '$' || $hash[3] === '$')
&& !($hash[2] === '$' && $hash[3] === '$')
) {
// it's a crypt() hash.
return password_verify($password, $hash);
}
// plaintext password.
// We still hash both inputs and use hash_equals() to protect against timing-attack-password-extraction.
// hash_equals() is only constant-time when both inputs have the same length.
// md5 is used as a compression function.
$h1 = hash("md5", $password, true);
$h2 = hash("md5", $hash, true);
return hash_equals($h1, $h2);
}
if (isset($_SESSION[FM_SESSION_ID]['logged'], $auth_users[$_SESSION[FM_SESSION_ID]['logged']])) {
// Logged
} elseif (isset($_POST['fm_usr'], $_POST['fm_pwd'], $_POST['token'])) {
// Logging In
sleep(1);
if (function_exists('password_verify')) {
if (isset($auth_users[$_POST['fm_usr']]) && isset($_POST['fm_pwd']) && password_verify($_POST['fm_pwd'], $auth_users[$_POST['fm_usr']]) && verifyToken($_POST['token'])) {
if (isset($auth_users[$_POST['fm_usr']]) && isset($_POST['fm_pwd']) && tfm_password_verify($_POST['fm_pwd'], $auth_users[$_POST['fm_usr']]) && verifyToken($_POST['token'])) {
$_SESSION[FM_SESSION_ID]['logged'] = $_POST['fm_usr'];
fm_set_msg(lng('You are logged in'));
fm_redirect(FM_SELF_URL);