- Patch #29706 by pwolanin, solardiz, et al: more secure password hashing.

  This is a big and important patch for Drupal's security.  We are switching
  to much stronger password hashes that are also compatible with the Portable
  PHP password hashing framework.

  The new password hashes defeat a number of attacks, including:

  - The ability to try candidate passwords against multiple hashes at once.
  - The ability to use pre-hashed lists of candidate passwords.
  - The ability to determine whether two users have the same (or different)
    password without actually having to guess one of the passwords.

  Also implemented a pluggable password hashing API (similar to how an alternate
  cache mechanism can be used) to allow developers to readily substitute an
  alternative hashing and authentication scheme.

  Thanks all!

1 files changed, 93 insertions, 0 deletions

diff --git a/scripts/password-hash.sh b/scripts/password-hash.sh
new file mode 100755
index 000000000..89893d102
--- /dev/null
+++ b/scripts/password-hash.sh
@@ -0,0 +1,93 @@
+#!/usr/bin/php
+<?php
+// $Id$
+
+/**
+ * Drupal hash script - to generate a hash from a plaintext password
+ *
+ * Check for your PHP interpreter - on Windows you'll probably have to
+ * replace line 1 with
+ *   #!c:/program files/php/php.exe
+ *
+ * @param password1 [password2 [password3 ...]]
+ *  Plain-text passwords in quotes (or with spaces backslah escaped).
+ */
+
+function variable_get($x, $default) {
+  return $default;
+}
+
+if (version_compare(PHP_VERSION, "5.2.0", "<")) {
+  $version  = PHP_VERSION;
+  echo <<<EOF
+
+ERROR: This script requires at least PHP version 5.2.0.  You invoked it with
+       PHP version {$version}.
+\n
+EOF;
+  exit;
+}
+
+$script = basename(array_shift($_SERVER['argv']));
+
+if (in_array('--help', $_SERVER['argv']) || empty($_SERVER['argv'])) {
+  echo <<<EOF
+
+Generate Drupal password hashes from the shell.
+
+Usage:        {$script} [OPTIONS] "<plan-text password>"
+Example:      {$script} "mynewpassword"
+
+All arguments are long options.
+
+  --help      Print this page.
+
+  --root <path>
+
+              Set the working directory for the script to the specified path.
+              To execute this script this has to be the root directory of your
+              Drupal installation, e.g. /home/www/foo/drupal (assuming Drupal
+              running on Unix). Use surrounding quotation marks on Windows.
+
+  "<password1>" ["<password2>" ["<password3>" ...]]
+
+              One or more plan-text passwords enclosed by double quotes. The
+              output hash may be manually entered into the {users}.pass field to
+              change a password via SQL to a known value.
+
+To run this script without the --root argument invoke it from the root directory
+of your Drupal installation as
+
+  ./scripts/{$script}
+\n
+EOF;
+  exit;
+}
+
+$passwords = array();
+
+// Parse invocation arguments.
+while ($param = array_shift($_SERVER['argv'])) {
+  switch ($param) {
+    case '--root':
+      // Change the working directory.
+      $path = array_shift($_SERVER['argv']);
+      if (is_dir($path)) {
+        chdir($path);
+      }
+      break;
+    default:
+      // Add a password to the list to be processed.
+      $passwords[] = $param;
+      break;
+  }
+}
+
+include_once('includes/password.inc');
+include_once('includes/common.inc');
+
+foreach ($passwords as $password) {
+  print("\npassword: $password \t\thash: ". user_hash_password($password) ."\n");
+}
+print("\n");
+