remove clear text password storage

diff --git a/file.php b/file.php
index 7916fb81f44dc9a0aa8041117b4eba3e4b6c4188..edf01994e2596ba13fc80c8dc7e3e0dc0cdec319 100644 (file)
--- a/file.php
+++ b/file.php
@@ -102,7 +102,7 @@ if(isset($_GET['h']) && !empty($_GET['h'])) {
         require(JIRAFEAU_ROOT . 'lib/template/footer.php');
         exit;
       } else {
-        if($key != $_POST['key']) {
+        if($key != md5($_POST['key'])) {
           header("HTTP/1.0 403 Forbidden");
 
           require(JIRAFEAU_ROOT . 'lib/template/header.php');

diff --git a/lib/functions.php b/lib/functions.php
index b10207c1f7c5ca779253341a84b57562168a3db9..d4c1b20aa44a61bd15c69337e0d1aebb12590f8c 100644 (file)
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -173,10 +173,15 @@ function jirafeau_upload($file, $one_time_download, $key, $time, $cfg, $ip) {
   for ($i = 0; $i < 8; $i++)
     $delete_link_code .= dechex(rand(0,16));
 
+  /* md5 password or empty */
+  $password = '';
+  if (!empty($key))
+    $password = md5($key);
+
   /* create link file */
   $link_tmp_name = VAR_LINKS . $md5 . rand(0, 10000) . '.tmp';
   $handle = fopen($link_tmp_name, 'w');
-  fwrite($handle, $name . NL . $mime_type . NL . $size . NL . $key . NL . $time . NL . $md5 . NL . ($one_time_download ? 'O' : 'R') . NL . date('U') . NL . $ip . NL . $delete_link_code . NL);
+  fwrite($handle, $name . NL . $mime_type . NL . $size . NL . $password . NL . $time . NL . $md5 . NL . ($one_time_download ? 'O' : 'R') . NL . date('U') . NL . $ip . NL . $delete_link_code . NL);
   fclose($handle);
   $md5_link = md5_file($link_tmp_name);
   if(!rename($link_tmp_name, VAR_LINKS . $md5_link)) {