From 6aa13eb36b79677a0a98058e048f74ed4b89f2e8 Mon Sep 17 00:00:00 2001 From: Adrian Greeve Date: Mon, 27 Feb 2012 12:07:58 +0800 Subject: [PATCH] MDL-31248 - lib - Alteration to the rc4encrypt function to allow for old password use. --- lib/moodlelib.php | 52 +++++++++++++++++++++++++++++++++------------- lib/sessionlib.php | 10 ++++++++- 2 files changed, 47 insertions(+), 15 deletions(-) diff --git a/lib/moodlelib.php b/lib/moodlelib.php index 71d98685aac..6aba0b89e1b 100644 --- a/lib/moodlelib.php +++ b/lib/moodlelib.php @@ -7385,27 +7385,51 @@ class emoticon_manager { /** * rc4encrypt * - * @todo Finish documenting this function - * - * @param string $data Data to encrypt - * @return string The now encrypted data - */ -function rc4encrypt($data) { - $password = get_site_identifier(); - return endecrypt($password, $data, ''); + * Please note that in this version of moodle that the default for rc4encryption is + * using the slightly more secure password key. There may be an issue when upgrading + * from an older version of moodle. + * + * @todo MDL-31836 Remove the old password key in version 2.4 + * Code also needs to be changed in sessionlib.php + * @see get_moodle_cookie() + * @see set_moodle_cookie() + * + * @param string $data Data to encrypt. + * @param bool $usesecurekey Lets us know if we are using the old or new secure password key. + * @return string The now encrypted data. + */ +function rc4encrypt($data, $usesecurekey = true) { + if (!$usesecurekey) { + $passwordkey = 'nfgjeingjk'; + } else { + $passwordkey = get_site_identifier(); + } + return endecrypt($passwordkey, $data, ''); } /** * rc4decrypt * - * @todo Finish documenting this function + * Please note that in this version of moodle that the default for rc4encryption is + * using the slightly more secure password key. There may be an issue when upgrading + * from an older version of moodle. + * + * @todo MDL-31836 Remove the old password key in version 2.4 + * Code also needs to be changed in sessionlib.php + * @see get_moodle_cookie() + * @see set_moodle_cookie() * - * @param string $data Data to decrypt - * @return string The now decrypted data + * @param string $data Data to decrypt. + * @param bool $usesecurekey Lets us know if we are using the old or new secure password key. + * @return string The now decrypted data. */ -function rc4decrypt($data) { - $password = get_site_identifier(); - return endecrypt($password, $data, 'de'); +function rc4decrypt($data, $usesecurekey = true) { + if (!$usesecurekey) { + $passwordkey = 'nfgjeingjk'; + } else { + $passwordkey = get_site_identifier(); + } + return endecrypt($passwordkey, $data, 'de'); } /** diff --git a/lib/sessionlib.php b/lib/sessionlib.php index b0c1cdb6166..5c7f5138229 100644 --- a/lib/sessionlib.php +++ b/lib/sessionlib.php @@ -1049,9 +1049,17 @@ function get_moodle_cookie() { return ''; } else { $username = rc4decrypt($_COOKIE[$cookiename]); + if ($username != clean_param($username, PARAM_USERNAME)) { + $username = rc4decrypt($_COOKIE[$cookiename], false); + if ($username == clean_param($username, PARAM_USERNAME)) { + set_moodle_cookie($username); + } else { + $username = ''; + } + } if ($username === 'guest' or $username === 'nobody') { // backwards compatibility - we do not set these cookies any more - return ''; + $username = ''; } return $username; } -- 2.43.0