2 files changed, 84 insertions, 1 deletions

diff --git a/modules/user/helpers/user_installer.php b/modules/user/helpers/user_installer.php
index bb6f1ceb..e0f7312e 100644
--- a/modules/user/helpers/user_installer.php
+++ b/modules/user/helpers/user_installer.php
@@ -69,7 +69,7 @@ class user_installer {
       $user->name = "admin";
       $user->display_name = "Gallery Administrator";
       // @todo create a helper function to encrypt the password.
-      $user->password = "admin";
+      $user->password = user_password::hash_password("admin");
       $user->save();
       $id = $user->id;
       $db->query("UPDATE `items` SET `owner_id` = $id WHERE `owner_id` IS NULL");
diff --git a/modules/user/helpers/user_password.php b/modules/user/helpers/user_password.php
new file mode 100644
index 00000000..45de5bef
--- /dev/null
+++ b/modules/user/helpers/user_password.php
@@ -0,0 +1,83 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2008 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class user_password {
+
+  /**
+   * Is the password provided correct?
+   *
+   * @param user User Model
+   * @param string $password a plaintext password
+   * @return boolean true if the password is correct
+   */
+  public static function is_correct_password($user, $password) {
+    $valid = $user->password;
+
+    $salt = substr($valid, 0, 4);
+    /* Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes: */
+    $guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password));
+    if (!strcmp($guess, $valid)) {
+      return true;
+    }
+
+    /* Passwords with <&"> created by G2 prior to 2.1 were hashed with entities */
+    $sanitizedPassword = html::specialchars($password, false);
+    $guess = (strlen($valid) == 32) ? md5($sanitizedPassword)
+          : ($salt . md5($salt . $sanitizedPassword));
+    if (!strcmp($guess, $valid)) {
+      return true;
+    }
+
+    /* Also support hashes generated by phpass for interoperability with other applications */
+    if (strlen($valid) == 34) {
+      $hashGenerator = new PasswordHash(10, true);
+      return $hashGenerator->CheckPassword($password, $valid);
+    }
+
+    return false;
+  }
+
+  /**
+   * Create the hashed passwords.
+   * @param string $password a plaintext password
+   * @return string hashed password
+   */
+  public static function hash_password($password) {
+    return user_password::_md5Salt($password);
+  }
+
+  /**
+   * Create a hashed password using md5 plus salt.
+   * @param string $password plaintext password
+   * @param string $salt (optional) salt or hash containing salt (randomly generated if omitted)
+   * @return string hashed password
+   */
+  private static function _md5Salt($password, $salt='') {
+    if (empty($salt)) {
+      for ($i = 0; $i < 4; $i++) {
+        $char = mt_rand(48, 109);
+        $char += ($char > 90) ? 13 : ($char > 57) ? 7 : 0;
+        $salt .= chr($char);
+      }
+    } else {
+      $salt = substr($salt, 0, 4);
+    }
+    return $salt . md5($salt . $password);
+  }
+}