From: Mischa POSLAWSKY <perl@shiar.org>
Date: Thu, 14 Jun 2018 15:00:15 +0000 (+0200)
Subject: login/pass: encrypt user input in profile data
X-Git-Tag: v3.1~9
X-Git-Url: http://git.shiar.net/minimedit.git/commitdiff_plain/c036bafab7a43b2d3981ede8e49222522965183e

login/pass: encrypt user input in profile data

Left cleartext for debugging, but prefer at least blowfish hashing.
Assume PHP v5.5 to generate salts.
---

diff --git a/login/pass.inc.php b/login/pass.inc.php
index 483f8bb..cb2427e 100644
--- a/login/pass.inc.php
+++ b/login/pass.inc.php
@@ -36,7 +36,8 @@ function passform($user, $input = [])
 		return "Zorg dat bij de bevestiging precies het zelfde wachtwoord staat.";
 	}
 
-	if (!file_put_contents($pwfile, $input['newpass'])) {
+	$passstore = password_hash($input['newpass'], PASSWORD_DEFAULT);
+	if (empty($passstore) or !file_put_contents($pwfile, $passstore)) {
 		return "Het nieuwe wachtwoord kon niet worden opgeslagen. Het oude wachtwoord is behouden.";
 	}