--- ./htaccess.class.php.orig 2013-03-07 14:04:38.410610299 +0800 +++ ./htaccess.class.php 2013-03-07 14:03:43.768610332 +0800 @@ -632,8 +632,18 @@ if (empty($clearPass)) { return false; } $pass = $this->users[$UserID]; - $salt = substr($pass,0,2); - $cryptPass = $this->cryptPass($clearPass,$salt); +// by Dv +// $salt = substr($pass,0,2); +// $cryptPass = $this->cryptPass($clearPass,$salt); + $salt = substr($pass,0,6); + if ( $salt == '$apr1$') { + $salt = substr( $pass, 6, 8); + $cryptPass = $this->cryptPass($clearPass,$salt); + } else { + $salt = substr($pass,0,2); + $cryptPass = $this->cryptPass($clearPass,$salt); + } +// by Dv if ($pass == $cryptPass) { @@ -822,6 +832,11 @@ return ""; } +// by Dv +// use _Unix_ htpasswd APR1 by default +$t = $this->crypt_apr1_md5( $passwd, $salt); +return( $t); +// by Dv / if (!empty($salt)) { $salt = substr ($salt, 0, 2); @@ -850,6 +865,36 @@ } +// by Dv +/*private*/ function crypt_apr1_md5($plainpasswd, $salt = null) { + if (!$salt) $salt = substr(str_shuffle("abcdefghijklmnopqrstuvwxyz0123456789"), 0, 8); + $len = strlen($plainpasswd); + $text = $plainpasswd . '$apr1$' . $salt; + $bin = pack("H32", md5($plainpasswd . $salt . $plainpasswd)); + for ($i = $len; $i > 0; $i -= 16) { + $text .= substr($bin, 0, min(16, $i)); + } + for ($i = $len; $i > 0; $i >>= 1) { + $text .= ($i & 1) ? chr(0) : $plainpasswd{0}; + } + $bin = pack("H32", md5($text)); + for ($i = 0; $i < 1000; $i++) { + $new = ($i & 1) ? $plainpasswd : $bin; + if ($i % 3) $new .= $salt; + if ($i % 7) $new .= $plainpasswd; + $new .= ($i & 1) ? $bin : $plainpasswd; + $bin = pack("H32", md5($new)); + } + for ($i = 0; $i < 5; $i++) { + $k = $i + 6; + $j = $i + 12; + if ($j == 16) $j = 5; + $tmp = $bin[$i] . $bin[$k] . $bin[$j] . $tmp; + } + $tmp = chr(0) . chr(0) . $bin[11] . $tmp; + $tmp = strtr(strrev(substr(base64_encode($tmp), 2)), "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/", "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"); + return( "$" . "apr1" . "$" . $salt . "$" . $tmp); } +// by Dv / }