Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/blowfish #1

Open
wants to merge 23 commits into
base: feature/Blowfish
Choose a base branch
from
Open

Feature/blowfish #1

wants to merge 23 commits into from

Conversation

lennartvdd
Copy link

This commit updates your branch to current mishamx/master and fixes some compatibility issues, adds security improvements and a small bugfixes. These commits should also make it easier for mishamx to merge your branch into his master, so they can be released to the publicly available version of Yii-user

Changes:

  • Replaced Randomness extension (Unix only) with a more generally compatible static function in the User model for Blowfish salt generation
  • Added $2y$ Blowfish mode to deal with potential high-bit attacks for PHP versions >= 5.3.7
  • Fix fatal error, getting property of non object, when WebUser->id not (yet?) set.
  • Generate URL safe activation key (activation fails when blowfish is used)

mishamx and others added 23 commits July 2, 2012 23:58
@mishamx
Merge pull request mishamx#6 from Alan01252/master
fa8dd2a 
Fix redirect
@lennartvdd
Implement password salts
703d969
@hastenax
Update master
e24aa4a
@mishamx
Merge pull request mishamx#8 from hastenax/patch-1
0dd970c 
Update master
@mishamx
UWfile: added safe attribute (change is yii 1.1.12)
491f814
@lennartvdd
Improvement of password salts & small bugfix
ce7c5d8 
* Added a salt column to the user table.
* Adds a salt to users that have no salted password upon succesfull login.
* Salts are now more unique/random

* Bug fixed:
This commit fixes a bug where a password could by stored to the database
in plaintext format by the AdminController->actionUpdate() function,
when an admin would supply an unencrypted version of the old password
(effectively changing the password to itself, but skipping the encryption
methods).
@lennartvdd
Merge branch 'master' of github.com:mishamx/yii-user
1ec8dbd
@lennartvdd
Add salt column in schema files.
f574da4
@lennartvdd
Merge remote-tracking branch 'upstream/master' into feature/salted_pa…
7936b40 
…sswords
@mishamx
Now getFields static method and updateSession bugfix
8d6e791
@mishamx
WebUser UpdateSession bugfix
21dda7e
@josiasmontag
Fix lastvisit_at update on login
0078af2
@mishamx
Merge pull request mishamx#16 from mondayx/master
934df63 
Fix lastvisit_at update on login
@mishamx
Date format bugfix
385e1f5
@mishamx
Registration bugfix
3d9b6ca
@mishamx
Added sendMailToUser method
af3c90d
@mishamx
Set new default attr to WebUser
a77afe8
@lennartvdd
Merge branch 'master' of github.com:mishamx/yii-user into feature/sal…
5acc2af 
…ted_passwords

Conflicts:
	controllers/RegistrationController.php
	models/User.php
@lennartvdd
Merge branch 'feature/salted_passwords'
3077ec5
@lennartvdd
Merge branch 'master' into feature/Blowfish
38ff830 
Conflicts:
	UserModule.php
	components/UserIdentity.php
	controllers/RegistrationController.php
	models/User.php
	models/UserChangePassword.php
@lennartvdd
Fix blowfish implementation
7c27469 
* Replaced Randomness extension (Unix only) with a more generally compatible static function in the User model for Blowfish salt generation
* Added $2y$ Blowfish mode to deal with potential high-bit attacks for PHP versions >= 5.3.7
* Fix a small typo causing fatal error:wq
@lennartvdd
Fix fatal error, getting property of non object, when $id not (yet?) …
ba44d9d 
…set.
@lennartvdd
Generate URL safe activation key (activation fails when blowfish is u…
bf00b37 
…sed)
@lennartvdd
Copy link
Author

Ow.. it seems I wasn't paying enough attention. My feature/salted_passwords has also been merged in this pull. Let me know if this is a problem and I'll give you a new pull request without it..

@Alan01252
Copy link
Owner

Thanks Lennartvss, I'll review asap.

@Alan01252
Copy link
Owner

Hi lennartvdd. Sorry for the delay, this is taking a little longer than I thought for two reasons.

  1. This is the first time I've done a pull request via github
  2. There's quite a few changes and as I use this fork in some of my live sites I want to make sure everything works before merge.

Apologies again for the delay.

@lennartvdd
Copy link
Author

No worries about the delay, it's your repo, so you have full right to with it what or when you want ;)

I just liked your blowfish implementation and hope to see it in the next release (if he ever merges any of the pull requests). This way should be easier for him. Just made the mistake of joinig this pull request with my feature/salt branch, which in retrospect is going to do the exact opposite of making it easy to merge them seperately.

The upside is that both are branches are compatible this way though..

Let me know if you have any more questions

@lennartvdd lennartvdd mentioned this pull request Jan 21, 2013
Open
lennartvdd
lennartvdd reviewed Jan 21, 2013
View reviewed changes
controllers/ActivationController.php
if (isset($find)&&$find->status) {
$this->render('/user/message',array('title'=>UserModule::t("User activation"),'content'=>UserModule::t("You account is active.")));
} elseif(isset($find->activkey) && ($find->activkey==$activkey)) {
$find->activkey = UserModule::encrypting(microtime());
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Todo: fix security risk here. Guessing the activation key becomes possible after the user activates his account if you have knowledge of when the account was last activated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@lennartvdd @Alan01252 @mishamx @hastenax @josiasmontag