mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2025-12-23 21:47:44 -05:00
Code Issues Packages Projects Releases Wiki Activity

Reverse hash and nonce (#8320)

Browse Source 
Safer password evaluation
This commit is contained in:
Alexandre Alapetite
2025-12-15 22:06:05 +01:00
committed by GitHub
parent 00f2f043ac
commit 476e57b046
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/Models/FormAuth.php
View File

@@ -11,7 +11,7 @@ class FreshRSS_FormAuth {
return false;
}
return password_verify($nonce . $hash, $challenge);
return password_verify($hash . $nonce, $challenge);
}
/** @return list<string> */

2
p/scripts/extra.js
View File

@@ -75,7 +75,7 @@ function init_crypto_forms() {
try {
const strong = window.Uint32Array && window.crypto && (typeof window.crypto.getRandomValues === 'function');
const s = bcrypt.hashSync(crypto_form.querySelector('.passwordPlain').value, json.salt1);
const c = bcrypt.hashSync(json.nonce + s, strong ? bcrypt.genSaltSync(4) : poormanSalt());
const c = bcrypt.hashSync(s + json.nonce, strong ? bcrypt.genSaltSync(4) : poormanSalt());
challenge.value = c;
if (!s || !c) {
openNotification('Crypto error!', 'bad');