Don't store plaintext passwords

http://dbareactions.tumblr.com/post/41455377237/when-i-see-app-passwords-stored-in-clear-text-in

2 files changed, 2 insertions, 3 deletions

diff --git a/lib/class/catalog.class.php b/lib/class/catalog.class.php
index 88d63674..1e2878bf 100644
--- a/lib/class/catalog.class.php
+++ b/lib/class/catalog.class.php
@@ -241,7 +241,7 @@ class Catalog extends database_object {
         $rename_pattern = $data['rename_pattern'];
         $sort_pattern = $data['sort_pattern'];
         $remote_username = $type == 'remote' ? $data['remote_username'] : '';
-        $remote_password = $type == 'remote' ? $data['remote_password'] : '';
+        $remote_password = $type == 'remote' ? hash('sha256', $data['remote_password']) : '';
 
         $sql = 'INSERT INTO `catalog` (`name`, `path`, `catalog_type`, ' .
             '`rename_pattern`, `sort_pattern`, `remote_username`, ' .
diff --git a/modules/ampacheapi/AmpacheApi.lib.php b/modules/ampacheapi/AmpacheApi.lib.php
index 3dce1899..6ddb896f 100644
--- a/modules/ampacheapi/AmpacheApi.lib.php
+++ b/modules/ampacheapi/AmpacheApi.lib.php
@@ -114,8 +114,7 @@ class AmpacheApi {
         // Set up the handshake
         $results = array();
         $timestamp = time();
-        $key = hash('sha256', $this->password);
-        $passphrase = hash('sha256', $timestamp . $key);
+        $passphrase = hash('sha256', $timestamp . $this->password);
 
         $options = array(
             'timestamp' => $timestamp,