badmanners/shimmie2
badmanners/shimmie2
Archived
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[core] use sha3 instead of md5 for csrf tokens

Browse source
This commit is contained in:
Shish 2024-06-21 19:18:21 +01:00 committed by Shish
parent 17b0b4e94f
commit 7150af6b9e
1 changed files with 6 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
core/user.php
View file

@ -238,20 +238,16 @@ class User
/** /**
* Get an auth token to be used in POST forms * Get an auth token to be used in POST forms
* *
* password = secret, avoid storing directly * the token is based on
* passhash = bcrypt(password), so someone who gets to the database can't get passwords * - the user's password, so that only this user can use the token
* sesskey = md5(passhash . IP), so if it gets sniffed it can't be used from another IP, * - the session IP, to reduce the blast radius of guessed passwords
* and it can't be used to get the passhash to generate new sesskeys * - a salt known only to the server, so that clients or attackers
* authtok = md5(sesskey, salt), presented to the user in web forms, to make sure that * can't generate their own tokens even if they know the first two
* the form was generated within the session. Salted and re-hashed so that
* reading a web page from the user's cache doesn't give access to the session key
*/ */
public function get_auth_token(): string public function get_auth_token(): string
{ {
global $config; global $config;
$salt = SECRET; return hash("sha3-256", $this->passhash . get_session_ip($config) . SECRET);
$addr = get_session_ip($config);
return md5(md5($this->passhash . $addr) . "salty-csrf-" . $salt);
} }