MD5 passwords, including code from Robert Hartman and John Gray.

git-svn-id: http://svn.automattic.com/wordpress/trunk@850 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/auth.php

@@ -2,7 +2,7 @@
 
 require_once('../wp-config.php');
 
-/* checking login & pass in the database */
+/* Checking login & pass in the database */
 function veriflog() {
 	global $HTTP_COOKIE_VARS,$cookiehash;
 	global $tableusers, $wpdb;
@@ -31,19 +31,18 @@ function veriflog() {
 		}
 	}
 }
-//if ( $user_login!="" && $user_pass!="" && $id_session!="" && $adresse_ip==$REMOTE_ADDR) {
-//	if ( !(veriflog()) AND !(verifcookielog()) ) {
-	if (!(veriflog())) {
-		header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');
-		header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
-		header('Cache-Control: no-cache, must-revalidate');
-		header('Pragma: no-cache');
-		if (!empty($HTTP_COOKIE_VARS["wordpressuser_".$cookiehash])) {
-			$error="<strong>Error</strong>: wrong login or password";
-		}
-		$redir = "Location: $siteurl/wp-login.php?redirect_to=" . urlencode($HTTP_SERVER_VARS["REQUEST_URI"]);
-		header($redir);
-		exit();
+
+if ( !veriflog() ) {
+	header('Expires: Wed, 11 Jan 1984 05:00:00 GMT');
+	header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
+	header('Cache-Control: no-cache, must-revalidate');
+	header('Pragma: no-cache');
+	if (!empty($HTTP_COOKIE_VARS["wordpressuser_".$cookiehash])) {
+		$error="<strong>Error</strong>: wrong login or password.";
 	}
-//}
+	$redir = "Location: $siteurl/wp-login.php?redirect_to=" . urlencode($HTTP_SERVER_VARS["REQUEST_URI"]);
+	header($redir);
+	exit();
+}
+
 ?>

wp-admin/profile.php

@@ -75,7 +75,7 @@ case 'update':
 		if ($HTTP_POST_VARS["pass1"] != $HTTP_POST_VARS["pass2"])
 			die ("<strong>ERROR</strong>: you typed two different passwords. Go back to correct that.");
 		$newuser_pass = $HTTP_POST_VARS["pass1"];
-		$updatepassword = "user_pass='$newuser_pass', ";
+		$updatepassword = "user_pass=MD5('$newuser_pass'), ";
 		setcookie("wordpresspass_".$cookiehash,md5($newuser_pass),time()+31536000);
 	}
 
@@ -344,4 +344,5 @@ break;
 }
 
 /* </Profile | My Profile> */
-include('admin-footer.php') ?>
+include('admin-footer.php');
+ ?>

wp-admin/upgrade-functions.php

@@ -679,7 +679,20 @@ function upgrade_110() {
 	maybe_add_column($tableusers, 'user_activation_key', "ALTER TABLE `$tableusers` ADD `user_activation_key` VARCHAR( 60 ) NOT NULL ;");
 	maybe_add_column($tableusers, 'user_status', "ALTER TABLE `$tableusers` ADD `user_status` INT DEFAULT '0' NOT NULL ;");
 	$wpdb->query("ALTER TABLE `$tableposts` CHANGE `comment_status` `comment_status` ENUM( 'open', 'closed', 'registered_only' ) DEFAULT 'open' NOT NULL");
+
+	// Convert passwords to MD5 and update table appropiately
+	$query = 'DESCRIBE wp_users user_pass';
+	$res = $wpdb->get_results($query);
+	if ($res[0]['Type'] != 'varchar(32)') {
+		$wpdb->query('ALTER TABLE wp_users MODIFY user_pass varchar(64) not null');
+	}
 	
+	$query = 'SELECT ID, user_pass from wp_users';
+	foreach ($wpdb->get_results($query) as $row) {
+		if (!preg_match('/^[A-Fa-f0-9]{32}$/', $row->user_pass)) {
+			   $wpdb->query('UPDATE wp_users SET user_pass = MD5(\''.$row->user_pass.'\') WHERE ID = \''.$row->ID.'\'');
+		}
+	}
 }
 
 ?>

wp-admin/users.php

@@ -73,7 +73,7 @@ case 'adduser':
 	$result = $wpdb->query("INSERT INTO $tableusers 
 		(user_login, user_pass, user_nickname, user_email, user_ip, user_domain, user_browser, dateYMDhour, user_level, user_idmode, user_firstname, user_lastname)
 	VALUES 
-		('$user_login', '$pass1', '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')");
+		('$user_login', MD5('$pass1'), '$user_nickname', '$user_email', '$user_ip', '$user_domain', '$user_browser', '$now', '$new_users_can_blog', 'nickname', '$user_firstname', '$user_lastname')");
 	
 	if ($result == false) {
 		die ('<strong>ERROR</strong>: Couldn&#8217;t register you... please contact the <a href="mailto:'.$admin_email.'">webmaster</a> !');