[8450] Prevented using of plaintext passwords in sql queries Author: arrai

--HG-- branch : trunk
2026-01-18 16:38:42 +01:00 · 2009-09-02 18:14:10 -05:00
parent 9d161ff757
commit ea12ff233b
6 changed files with 60 additions and 27 deletions
--- a/src/game/AccountMgr.cpp
+++ b/src/game/AccountMgr.cpp
@@ -25,6 +25,7 @@
 #include "ObjectAccessor.h"
 #include "Player.h"
 #include "Util.h"
+#include "Auth/Sha1.h"

 extern DatabaseType loginDatabase;

@@ -44,17 +45,12 @@ AccountOpResult AccountMgr::CreateAccount(std::string username, std::string pass
    normalizeString(username);
    normalizeString(password);

-    loginDatabase.escape_string(username);
-    loginDatabase.escape_string(password);
-
-    QueryResult *result = loginDatabase.PQuery("SELECT 1 FROM account WHERE username = '%s'", username.c_str());
-    if(result)
+    if(GetId(username))
    {
-        delete result;
        return AOR_NAME_ALREDY_EXIST;                       // username does already exist
    }

-    if(!loginDatabase.PExecute("INSERT INTO account(username,sha_pass_hash,joindate) VALUES('%s',SHA1(CONCAT('%s',':','%s')),NOW())", username.c_str(), username.c_str(), password.c_str()))
+    if(!loginDatabase.PExecute("INSERT INTO account(username,sha_pass_hash,joindate) VALUES('%s','%s',NOW())", username.c_str(), CalculateShaPassHash(username, password).c_str()))
        return AOR_DB_INTERNAL_ERROR;                       // unexpected error
    loginDatabase.Execute("INSERT INTO realmcharacters (realmid, acctid, numchars) SELECT realmlist.id, account.id, 0 FROM realmlist,account LEFT JOIN realmcharacters ON acctid=account.id WHERE acctid IS NULL");

@@ -124,9 +120,11 @@ AccountOpResult AccountMgr::ChangeUsername(uint32 accid, std::string new_uname,
    normalizeString(new_uname);
    normalizeString(new_passwd);

-    loginDatabase.escape_string(new_uname);
-    loginDatabase.escape_string(new_passwd);
-    if(!loginDatabase.PExecute("UPDATE account SET username='%s',sha_pass_hash=SHA1(CONCAT('%s',':','%s')) WHERE id='%d'", new_uname.c_str(), new_uname.c_str(), new_passwd.c_str(), accid))
+    std::string safe_new_uname = new_uname;
+    loginDatabase.escape_string(safe_new_uname);
+
+    if(!loginDatabase.PExecute("UPDATE account SET v='0',s='0',username='%s',sha_pass_hash='%s' WHERE id='%d'", safe_new_uname.c_str(),
+                CalculateShaPassHash(new_uname, new_passwd).c_str(), accid))
        return AOR_DB_INTERNAL_ERROR;                       // unexpected error

    return AOR_OK;
@@ -134,19 +132,19 @@ AccountOpResult AccountMgr::ChangeUsername(uint32 accid, std::string new_uname,

 AccountOpResult AccountMgr::ChangePassword(uint32 accid, std::string new_passwd)
 {
-    QueryResult *result = loginDatabase.PQuery("SELECT 1 FROM account WHERE id='%d'", accid);
-    if(!result)
+    std::string username;
+
+    if(!GetName(accid, username))
        return AOR_NAME_NOT_EXIST;                          // account doesn't exist
-    delete result;

    if (utf8length(new_passwd) > MAX_ACCOUNT_STR)
        return AOR_PASS_TOO_LONG;

    normalizeString(new_passwd);

-    loginDatabase.escape_string(new_passwd);
    // also reset s and v to force update at next realmd login
-    if(!loginDatabase.PExecute("UPDATE account SET v='0', s='0', sha_pass_hash=SHA1("_CONCAT3_("username","':'","'%s'")") WHERE id='%d'", new_passwd.c_str(), accid))
+    if(!loginDatabase.PExecute("UPDATE account SET v='0', s='0', sha_pass_hash='%s' WHERE id='%d'",
+                CalculateShaPassHash(username, new_passwd).c_str(), accid))
        return AOR_DB_INTERNAL_ERROR;                       // unexpected error

    return AOR_OK;
@@ -194,10 +192,13 @@ bool AccountMgr::GetName(uint32 acc_id, std::string &name)

 bool AccountMgr::CheckPassword(uint32 accid, std::string passwd)
 {
-    normalizeString(passwd);
-    loginDatabase.escape_string(passwd);
+    std::string username;
+    if(!GetName(accid, username))
+        return false;

-    QueryResult *result = loginDatabase.PQuery("SELECT 1 FROM account WHERE id='%d' AND sha_pass_hash=SHA1(CONCAT(username,':','%s'))", accid, passwd.c_str());
+    normalizeString(passwd);
+
+    QueryResult *result = loginDatabase.PQuery("SELECT 1 FROM account WHERE id='%d' AND sha_pass_hash='%s'", accid, CalculateShaPassHash(username, passwd).c_str());
    if (result)
    {
        delete result;
@@ -220,3 +221,18 @@ bool AccountMgr::normalizeString(std::string& utf8str)
    return WStrToUtf8(wstr_buf,wstr_len,utf8str);
 }

+std::string AccountMgr::CalculateShaPassHash(std::string& name, std::string& password)
+{
+    Sha1Hash sha;
+    sha.Initialize();
+    sha.UpdateData(name);
+    sha.UpdateData(":");
+    sha.UpdateData(password);
+    sha.Finalize();
+
+    std::string encoded;
+    hexEncodeByteArray(sha.GetDigest(), sha.GetLength(), encoded);
+
+    return encoded;
+}
+
--- a/src/game/AccountMgr.h
+++ b/src/game/AccountMgr.h
@@ -53,6 +53,7 @@ class AccountMgr
        uint32 GetId(std::string username);
        uint32 GetSecurity(uint32 acc_id);
        bool GetName(uint32 acc_id, std::string &name);
+        std::string CalculateShaPassHash(std::string& name, std::string& password);

        static bool normalizeString(std::string& utf8str);
 };
--- a/src/game/WorldSocket.cpp
+++ b/src/game/WorldSocket.cpp
@@ -804,13 +804,10 @@ int WorldSocket::HandleAuthSession (WorldPacket& recvPacket)

    // Re-check account ban (same check as in realmd)
    QueryResult *banresult =
-          loginDatabase.PQuery ("SELECT "
-                                "bandate, "
-                                "unbandate "
-                                "FROM account_banned "
-                                "WHERE id = '%u' "
-                                "AND active = 1",
-                                id);
+          loginDatabase.PQuery ("SELECT 1 FROM account_banned WHERE id = %u AND active = 1 "
+                                "UNION "
+                                "SELECT 1 FROM ip_banned WHERE ip = '%s'",
+                                id, GetRemoteAddress().c_str());

    if (banresult) // if account banned
    {
--- a/src/shared/Auth/Sha1.h
+++ b/src/shared/Auth/Sha1.h
@@ -44,8 +44,6 @@ class Sha1Hash
        uint8 *GetDigest(void) { return mDigest; };
        int GetLength(void) { return SHA_DIGEST_LENGTH; };

-        BigNumber GetBigNumber();
-
    private:
        SHA_CTX mC;
        uint8 mDigest[SHA_DIGEST_LENGTH];
--- a/src/shared/Util.cpp
+++ b/src/shared/Util.cpp
@@ -502,3 +502,23 @@ void vutf8printf(FILE *out, const char *str, va_list* ap)
    vfprintf(out, str, *ap);
 #endif
 }
+
+void hexEncodeByteArray(uint8* bytes, uint32 arrayLen, std::string& result)
+{
+    std::ostringstream ss;
+    for(uint32 i=0; i<arrayLen; ++i)
+    {
+        for(uint8 j=0; j<2; ++j)
+        {
+            unsigned char nibble = 0x0F & (bytes[i]>>((1-j)*4));
+            char encodedNibble;
+            if(nibble < 0x0A)
+                encodedNibble = '0'+nibble;
+            else
+                encodedNibble = 'A'+nibble-0x0A;
+            ss << encodedNibble;
+        }
+    }
+    result = ss.str();
+}
+
--- a/src/shared/Util.h
+++ b/src/shared/Util.h
@@ -291,6 +291,7 @@ void vutf8printf(FILE *out, const char *str, va_list* ap);
 bool IsIPAddress(char const* ipaddress);
 uint32 CreatePIDFile(const std::string& filename);

+void hexEncodeByteArray(uint8* bytes, uint32 arrayLen, std::string& result);
 #endif

 //handler for operations on large flags