diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2025-12-15 22:06:05 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-12-15 22:06:05 +0100 |
| commit | 476e57b04646416e24e24c56133c9fadf9e52b95 (patch) | |
| tree | e88d13f641712e8a8fba88e28dcde741717c43a0 | |
| parent | 00f2f043ac2fc834b3ef82d41b4c710113e988e2 (diff) | |
Reverse hash and nonce (#8320)
Safer password evaluation
| -rw-r--r-- | app/Models/FormAuth.php | 2 | ||||
| -rw-r--r-- | p/scripts/extra.js | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/app/Models/FormAuth.php b/app/Models/FormAuth.php index 8943fa7f5..a6431aa8e 100644 --- a/app/Models/FormAuth.php +++ b/app/Models/FormAuth.php @@ -11,7 +11,7 @@ class FreshRSS_FormAuth { return false; } - return password_verify($nonce . $hash, $challenge); + return password_verify($hash . $nonce, $challenge); } /** @return list<string> */ diff --git a/p/scripts/extra.js b/p/scripts/extra.js index 9eeefabfb..6f896f959 100644 --- a/p/scripts/extra.js +++ b/p/scripts/extra.js @@ -75,7 +75,7 @@ function init_crypto_forms() { try { const strong = window.Uint32Array && window.crypto && (typeof window.crypto.getRandomValues === 'function'); const s = bcrypt.hashSync(crypto_form.querySelector('.passwordPlain').value, json.salt1); - const c = bcrypt.hashSync(json.nonce + s, strong ? bcrypt.genSaltSync(4) : poormanSalt()); + const c = bcrypt.hashSync(s + json.nonce, strong ? bcrypt.genSaltSync(4) : poormanSalt()); challenge.value = c; if (!s || !c) { openNotification('Crypto error!', 'bad'); |