From ab330a749db8c75b9a38a77536358be60a3e5163 Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Wed, 5 Dec 2012 18:52:27 +0000 Subject: [PATCH 1/1] remove clear text password storage --- file.php | 2 +- lib/functions.php | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/file.php b/file.php index 7916fb8..edf0199 100644 --- a/file.php +++ b/file.php @@ -102,7 +102,7 @@ if(isset($_GET['h']) && !empty($_GET['h'])) { require(JIRAFEAU_ROOT . 'lib/template/footer.php'); exit; } else { - if($key != $_POST['key']) { + if($key != md5($_POST['key'])) { header("HTTP/1.0 403 Forbidden"); require(JIRAFEAU_ROOT . 'lib/template/header.php'); diff --git a/lib/functions.php b/lib/functions.php index b10207c..d4c1b20 100644 --- a/lib/functions.php +++ b/lib/functions.php @@ -173,10 +173,15 @@ function jirafeau_upload($file, $one_time_download, $key, $time, $cfg, $ip) { for ($i = 0; $i < 8; $i++) $delete_link_code .= dechex(rand(0,16)); + /* md5 password or empty */ + $password = ''; + if (!empty($key)) + $password = md5($key); + /* create link file */ $link_tmp_name = VAR_LINKS . $md5 . rand(0, 10000) . '.tmp'; $handle = fopen($link_tmp_name, 'w'); - fwrite($handle, $name . NL . $mime_type . NL . $size . NL . $key . NL . $time . NL . $md5 . NL . ($one_time_download ? 'O' : 'R') . NL . date('U') . NL . $ip . NL . $delete_link_code . NL); + fwrite($handle, $name . NL . $mime_type . NL . $size . NL . $password . NL . $time . NL . $md5 . NL . ($one_time_download ? 'O' : 'R') . NL . date('U') . NL . $ip . NL . $delete_link_code . NL); fclose($handle); $md5_link = md5_file($link_tmp_name); if(!rename($link_tmp_name, VAR_LINKS . $md5_link)) { -- 2.34.1