From 53dd69bb06236657e3bc22c086ad42b48ed2599e Mon Sep 17 00:00:00 2001 From: havet Date: Sun, 24 Jan 2016 19:09:12 +0100 Subject: [PATCH 1/4] New option: hashed passwords Added an option to store the passwords in hashed form. --- index.php | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/index.php b/index.php index aba322a..6d8245e 100644 --- a/index.php +++ b/index.php @@ -147,19 +147,32 @@ // They will still be able to access the files with a direct link. // Default: $_CONFIG['require_login'] = false; // -$_CONFIG['require_login'] = false; +$_CONFIG['require_login'] = true; + +// Bad practice to store passwords in plain text +// Store as sha256-hashes. +// $_CONFIG['hash_psw'] = true; + +//$_CONFIG['hash_psw'] = false; +$_CONFIG['hash_psw'] = true; // // Usernames and passwords for restricting access to the page. // The format is: array(username, password, status) + +// Bad practice to store passwords in plain text +// Store as sha256-hashes. + // Status can be either "user" or "admin". User can read the page, admin can upload and delete. // For example: $_CONFIG['users'] = array(array("username1", "password1", "user"), array("username2", "password2", "admin")); // You can also keep require_login=false and specify an admin. // That way everyone can see the page but username and password are needed for uploading. -// For example: $_CONFIG['users'] = array(array("username", "password", "admin")); +// For example: $_CONFIG['users'] = array(array("username", "sha256 of password", "admin")); // Default: $_CONFIG['users'] = array(); // -$_CONFIG['users'] = array(); +//$_CONFIG['users'] = array(); +//$_CONFIG['users'] = array(array("admin", "secret", "admin"), array("test", "password", "user")); +$_CONFIG['users'] = array(array("admin", "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b", "admin"), array("test", "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8", "user")); // // Permissions for uploading, creating new directories and deleting. @@ -1931,8 +1944,7 @@ public static function init() } header( "Location: ".$addr.$param); } - else - $encodeExplorer->setErrorString("wrong_pass"); + else $encodeExplorer->setErrorString("wrong_pass"); } } @@ -1940,7 +1952,16 @@ public static function isUser($userName, $userPass) { foreach(EncodeExplorer::getConfig("users") as $user) { - if($user[1] == $userPass) + + if (EncodeExplorer::getConfig('hash_psw') == true) + { + $key = hash(sha256, $userPass, $raw_output = false); + } + else + $key = $userPass; + + //if($user[1] == $userPass) + if($user[1] == $key) { if(strlen($userName) == 0 || $userName == $user[0]) { @@ -1948,6 +1969,7 @@ public static function isUser($userName, $userPass) } } } + return false; } From c3399c7baef417dfbbe5729620aee70a164bb3aa Mon Sep 17 00:00:00 2001 From: havet Date: Sun, 24 Jan 2016 19:16:38 +0100 Subject: [PATCH 2/4] Added some more translations to Swedish Added missing lines in the Swedish translation. --- index.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/index.php b/index.php index 6d8245e..f01b757 100644 --- a/index.php +++ b/index.php @@ -887,6 +887,18 @@ "unable_to_read_dir" => "Kan inte lasa den filen", "location" => "Plats", "root" => "Hem" + "log_file_permission_error" => "Scriptet har inte behörighet att skriva till loggfilen.", + "upload_not_allowed" => "Skriptets konfiguration tillåter inte uppladdning till denna katalog.", + "upload_dir_not_writable" => "Denna katalog har inte behörigheter för att skriva.", + "mobile_version" => "Mobilvisning", + "standard_version" => "Standardvisning", + "page_load_time" => "Sidan laddades på %.2f ms", + "wrong_pass" => "Fel användarnamn eller lösenord", + "username" => "Användarnamn", + "log_in" => "Logga in", + "upload_type_not_allowed" => "Denna filtyp är det inte tillåtet att ladda upp.", + "del" => "Ta bort", + "log_out" => "Logga ut" ); // Turkish From 6ddab60001f6774e691cd8a27439e2d484cf3cf7 Mon Sep 17 00:00:00 2001 From: havet Date: Sun, 24 Jan 2016 20:17:33 +0100 Subject: [PATCH 3/4] Corrected the Swedish translation Changed to national characters. --- index.php | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/index.php b/index.php index f01b757..465affe 100644 --- a/index.php +++ b/index.php @@ -873,20 +873,20 @@ $_TRANSLATIONS["sv"] = array( "file_name" => "Filnamn", "size" => "Storlek", - "last_changed" => "Senast andrad", + "last_changed" => "Senast ändrad", "total_used_space" => "Totalt upptaget utrymme", "free_space" => "Ledigt utrymme", - "password" => "Losenord", + "password" => "Lösenord", "upload" => "Ladda upp", "failed_upload" => "Fel vid uppladdning av fil!", "failed_move" => "Fel vid flytt av fil till mapp!", - "wrong_password" => "Fel losenord", + "wrong_password" => "Fel lösenord", "make_directory" => "Ny mapp", "new_dir_failed" => "Fel vid skapande av mapp", - "chmod_dir_failed" => "Fel vid andring av mappens egenskaper", + "chmod_dir_failed" => "Fel vid ändring av mappens egenskaper", "unable_to_read_dir" => "Kan inte lasa den filen", "location" => "Plats", - "root" => "Hem" + "root" => "Hem", "log_file_permission_error" => "Scriptet har inte behörighet att skriva till loggfilen.", "upload_not_allowed" => "Skriptets konfiguration tillåter inte uppladdning till denna katalog.", "upload_dir_not_writable" => "Denna katalog har inte behörigheter för att skriva.", @@ -901,6 +901,7 @@ "log_out" => "Logga ut" ); + // Turkish $_TRANSLATIONS["tr"] = array( "file_name" => "Dosya Adı", From 5495076c2f5f8212418a2e217530a34192a9d816 Mon Sep 17 00:00:00 2001 From: havet Date: Sun, 24 Jan 2016 20:40:30 +0100 Subject: [PATCH 4/4] Comments Changed some comments. --- index.php | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/index.php b/index.php index 465affe..452018d 100644 --- a/index.php +++ b/index.php @@ -147,32 +147,40 @@ // They will still be able to access the files with a direct link. // Default: $_CONFIG['require_login'] = false; // -$_CONFIG['require_login'] = true; - -// Bad practice to store passwords in plain text -// Store as sha256-hashes. -// $_CONFIG['hash_psw'] = true; +$_CONFIG['require_login'] = false; +// Whether store the passwords as sha256-hashes or not. +// It's bad practice to store passwords in plain text. +// If set to true, you shuld add the passwords-hashes instead of the passwords, +// in 'users' below. //$_CONFIG['hash_psw'] = false; -$_CONFIG['hash_psw'] = true; +//$_CONFIG['hash_psw'] = true; + +// Default: $_CONFIG['hash_psw'] = false; + +$_CONFIG['hash_psw'] = false; // // Usernames and passwords for restricting access to the page. // The format is: array(username, password, status) -// Bad practice to store passwords in plain text -// Store as sha256-hashes. - // Status can be either "user" or "admin". User can read the page, admin can upload and delete. // For example: $_CONFIG['users'] = array(array("username1", "password1", "user"), array("username2", "password2", "admin")); // You can also keep require_login=false and specify an admin. // That way everyone can see the page but username and password are needed for uploading. // For example: $_CONFIG['users'] = array(array("username", "sha256 of password", "admin")); + +// It's bad practice to store passwords in plain text. +// You'd better use sha256-hashes for example: +//$_CONFIG['users'] = array(array("admin", "secret", "admin"), +// array("test", "password", "user")); // may be replaced by: +//$_CONFIG['users'] = array(array("admin", "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b", "admin"), +// array("test", "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8", "user")); +// N.B. set hash_psw = true above + // Default: $_CONFIG['users'] = array(); // -//$_CONFIG['users'] = array(); -//$_CONFIG['users'] = array(array("admin", "secret", "admin"), array("test", "password", "user")); -$_CONFIG['users'] = array(array("admin", "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b", "admin"), array("test", "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8", "user")); +$_CONFIG['users'] = array(); // // Permissions for uploading, creating new directories and deleting.