Merge pull request hestiacp#2397 from jaapmarcus/fix/block-yesscrypt-attempts-valid

ScIT-Raphael · web-flow · commit d6b6ca576e6b · 2022-02-03T22:25:03.000+01:00
Add warning if user tries to login with yesscrypt  hashed password
diff --git a/bin/v-check-user-password b/bin/v-check-user-password
@@ -62,7 +62,10 @@ if echo "$shadow" | grep -qE '^\$[0-9a-z]+\$[^\$]+\$'
 then
     salt=$(echo "$shadow" |cut -f 3 -d \$)
     method=$(echo "$shadow" |cut -f 2 -d \$)
-    if [ "$method" -eq '1' ]; then
+    if [ "$method" = "y" ]; then
+        echo "Unsuported hash method";
+        exit 1;   
+    elif [ "$method" -eq '1' ]; then
         method='md5'
     elif [ "$method" -eq '6' ]; then
         method='sha-512'
diff --git a/web/login/index.php b/web/login/index.php
@@ -107,6 +107,8 @@ function authenticate_user($user, $password, $twofa = '')
             sleep(2);
             if($return_var == 5){
                 $error = '<a class="error">' . _('Account has been suspended') . '</a>';   
+            }elseif($return_var == 1){
+                $error = '<a class="error">' . _('Unsuported hash method') . '</a>';     
             }else{
                 $error = '<a class="error">' . _('Invalid username or password') . '</a>';    
             }

Original file line number	Diff line number	Diff line change
`@@ -107,6 +107,8 @@ function authenticate_user($user, $password, $twofa = '')`
`107`	`107`	`sleep(2);`
`108`	`108`	`if($return_var == 5){`
`109`	`109`	`$error = '<a class="error">' . _('Account has been suspended') . '</a>';`
	`110`	`+ }elseif($return_var == 1){`
	`111`	`+ $error = '<a class="error">' . _('Unsuported hash method') . '</a>';`
`110`	`112`	`}else{`
`111`	`113`	`$error = '<a class="error">' . _('Invalid username or password') . '</a>';`
`112`	`114`	`}`