diff options
| author | Paul Arthur <paul.arthur@flowerysong.com> | 2013-02-07 15:15:50 -0500 |
|---|---|---|
| committer | Paul Arthur <paul.arthur@flowerysong.com> | 2013-02-07 15:17:24 -0500 |
| commit | 79b6eb98e7506c9074d737c452e90732c6cd4afd (patch) | |
| tree | 6582ef7140953790b0de426e7a8873719cff5492 /lib/class | |
| parent | 81ff3c5d8125f7841ceca5021e95a7c0ef79ae01 (diff) | |
| download | ampache-79b6eb98e7506c9074d737c452e90732c6cd4afd.tar.gz ampache-79b6eb98e7506c9074d737c452e90732c6cd4afd.tar.bz2 ampache-79b6eb98e7506c9074d737c452e90732c6cd4afd.zip | |
Fix scrub_in to be safer
Diffstat (limited to 'lib/class')
| -rw-r--r-- | lib/class/auth.class.php | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/class/auth.class.php b/lib/class/auth.class.php index 8a23b33f..6e8be4a9 100644 --- a/lib/class/auth.class.php +++ b/lib/class/auth.class.php @@ -122,7 +122,8 @@ class Auth { // doesn't break things. // FIXME: Break things in the future. $hashed_password[] = hash('sha256', $password); - $hashed_password[] = hash('sha256', Dba::escape(scrub_in($password))); + $hashed_password[] = hash('sha256', + Dba::escape(stripslashes(htmlspecialchars(strip_tags($password))))); // Automagically update the password if it's old and busted. if ($row['password'] == $hashed_password[1] && |