aboutsummaryrefslogtreecommitdiff
path: root/src/game
diff options
context:
space:
mode:
authormegamage <none@none>2009-09-02 18:14:10 -0500
committermegamage <none@none>2009-09-02 18:14:10 -0500
commitea12ff233b985bd9db6f99eee07fefde80811a94 (patch)
tree92109342be4da2582bdc1a97cf10183efaf5452f /src/game
parent9d161ff757daf47335f7cc84825463cc30818c8c (diff)
[8450] Prevented using of plaintext passwords in sql queries Author: arrai
--HG-- branch : trunk
Diffstat (limited to 'src/game')
-rw-r--r--src/game/AccountMgr.cpp50
-rw-r--r--src/game/AccountMgr.h1
-rw-r--r--src/game/WorldSocket.cpp11
3 files changed, 38 insertions, 24 deletions
diff --git a/src/game/AccountMgr.cpp b/src/game/AccountMgr.cpp
index 981a5ad07ec..b3c9a76e720 100644
--- a/src/game/AccountMgr.cpp
+++ b/src/game/AccountMgr.cpp
@@ -25,6 +25,7 @@
#include "ObjectAccessor.h"
#include "Player.h"
#include "Util.h"
+#include "Auth/Sha1.h"
extern DatabaseType loginDatabase;
@@ -44,17 +45,12 @@ AccountOpResult AccountMgr::CreateAccount(std::string username, std::string pass
normalizeString(username);
normalizeString(password);
- loginDatabase.escape_string(username);
- loginDatabase.escape_string(password);
-
- QueryResult *result = loginDatabase.PQuery("SELECT 1 FROM account WHERE username = '%s'", username.c_str());
- if(result)
+ if(GetId(username))
{
- delete result;
return AOR_NAME_ALREDY_EXIST; // username does already exist
}
- if(!loginDatabase.PExecute("INSERT INTO account(username,sha_pass_hash,joindate) VALUES('%s',SHA1(CONCAT('%s',':','%s')),NOW())", username.c_str(), username.c_str(), password.c_str()))
+ if(!loginDatabase.PExecute("INSERT INTO account(username,sha_pass_hash,joindate) VALUES('%s','%s',NOW())", username.c_str(), CalculateShaPassHash(username, password).c_str()))
return AOR_DB_INTERNAL_ERROR; // unexpected error
loginDatabase.Execute("INSERT INTO realmcharacters (realmid, acctid, numchars) SELECT realmlist.id, account.id, 0 FROM realmlist,account LEFT JOIN realmcharacters ON acctid=account.id WHERE acctid IS NULL");
@@ -124,9 +120,11 @@ AccountOpResult AccountMgr::ChangeUsername(uint32 accid, std::string new_uname,
normalizeString(new_uname);
normalizeString(new_passwd);
- loginDatabase.escape_string(new_uname);
- loginDatabase.escape_string(new_passwd);
- if(!loginDatabase.PExecute("UPDATE account SET username='%s',sha_pass_hash=SHA1(CONCAT('%s',':','%s')) WHERE id='%d'", new_uname.c_str(), new_uname.c_str(), new_passwd.c_str(), accid))
+ std::string safe_new_uname = new_uname;
+ loginDatabase.escape_string(safe_new_uname);
+
+ if(!loginDatabase.PExecute("UPDATE account SET v='0',s='0',username='%s',sha_pass_hash='%s' WHERE id='%d'", safe_new_uname.c_str(),
+ CalculateShaPassHash(new_uname, new_passwd).c_str(), accid))
return AOR_DB_INTERNAL_ERROR; // unexpected error
return AOR_OK;
@@ -134,19 +132,19 @@ AccountOpResult AccountMgr::ChangeUsername(uint32 accid, std::string new_uname,
AccountOpResult AccountMgr::ChangePassword(uint32 accid, std::string new_passwd)
{
- QueryResult *result = loginDatabase.PQuery("SELECT 1 FROM account WHERE id='%d'", accid);
- if(!result)
+ std::string username;
+
+ if(!GetName(accid, username))
return AOR_NAME_NOT_EXIST; // account doesn't exist
- delete result;
if (utf8length(new_passwd) > MAX_ACCOUNT_STR)
return AOR_PASS_TOO_LONG;
normalizeString(new_passwd);
- loginDatabase.escape_string(new_passwd);
// also reset s and v to force update at next realmd login
- if(!loginDatabase.PExecute("UPDATE account SET v='0', s='0', sha_pass_hash=SHA1("_CONCAT3_("username","':'","'%s'")") WHERE id='%d'", new_passwd.c_str(), accid))
+ if(!loginDatabase.PExecute("UPDATE account SET v='0', s='0', sha_pass_hash='%s' WHERE id='%d'",
+ CalculateShaPassHash(username, new_passwd).c_str(), accid))
return AOR_DB_INTERNAL_ERROR; // unexpected error
return AOR_OK;
@@ -194,10 +192,13 @@ bool AccountMgr::GetName(uint32 acc_id, std::string &name)
bool AccountMgr::CheckPassword(uint32 accid, std::string passwd)
{
+ std::string username;
+ if(!GetName(accid, username))
+ return false;
+
normalizeString(passwd);
- loginDatabase.escape_string(passwd);
- QueryResult *result = loginDatabase.PQuery("SELECT 1 FROM account WHERE id='%d' AND sha_pass_hash=SHA1(CONCAT(username,':','%s'))", accid, passwd.c_str());
+ QueryResult *result = loginDatabase.PQuery("SELECT 1 FROM account WHERE id='%d' AND sha_pass_hash='%s'", accid, CalculateShaPassHash(username, passwd).c_str());
if (result)
{
delete result;
@@ -220,3 +221,18 @@ bool AccountMgr::normalizeString(std::string& utf8str)
return WStrToUtf8(wstr_buf,wstr_len,utf8str);
}
+std::string AccountMgr::CalculateShaPassHash(std::string& name, std::string& password)
+{
+ Sha1Hash sha;
+ sha.Initialize();
+ sha.UpdateData(name);
+ sha.UpdateData(":");
+ sha.UpdateData(password);
+ sha.Finalize();
+
+ std::string encoded;
+ hexEncodeByteArray(sha.GetDigest(), sha.GetLength(), encoded);
+
+ return encoded;
+}
+
diff --git a/src/game/AccountMgr.h b/src/game/AccountMgr.h
index 2be0178998e..c14110036a0 100644
--- a/src/game/AccountMgr.h
+++ b/src/game/AccountMgr.h
@@ -53,6 +53,7 @@ class AccountMgr
uint32 GetId(std::string username);
uint32 GetSecurity(uint32 acc_id);
bool GetName(uint32 acc_id, std::string &name);
+ std::string CalculateShaPassHash(std::string& name, std::string& password);
static bool normalizeString(std::string& utf8str);
};
diff --git a/src/game/WorldSocket.cpp b/src/game/WorldSocket.cpp
index 0413f197877..d3f66c39d61 100644
--- a/src/game/WorldSocket.cpp
+++ b/src/game/WorldSocket.cpp
@@ -804,13 +804,10 @@ int WorldSocket::HandleAuthSession (WorldPacket& recvPacket)
// Re-check account ban (same check as in realmd)
QueryResult *banresult =
- loginDatabase.PQuery ("SELECT "
- "bandate, "
- "unbandate "
- "FROM account_banned "
- "WHERE id = '%u' "
- "AND active = 1",
- id);
+ loginDatabase.PQuery ("SELECT 1 FROM account_banned WHERE id = %u AND active = 1 "
+ "UNION "
+ "SELECT 1 FROM ip_banned WHERE ip = '%s'",
+ id, GetRemoteAddress().c_str());
if (banresult) // if account banned
{