From 9c6bbe12dc6bef7290b72c23d9a5ba6953ac3f7d Mon Sep 17 00:00:00 2001
From: technicalguru <github@ralph-schuster.eu>
Date: Wed, 27 Apr 2022 06:50:35 +0200
Subject: [PATCH] #8 - fixed password hashing algorithm

---
 src/config.local.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/config.local.php b/src/config.local.php
index df28e5d..9d41814 100644
--- a/src/config.local.php
+++ b/src/config.local.php
@@ -62,7 +62,10 @@
 // To create the hash, visit setup.php in a browser and type a password into the field,
 // on submission it will be echoed out to you as a hashed value.
 $PFA_SALT = md5(time() . '*' . $_SERVER['REMOTE_ADDR'] . '*' . mt_rand(0, 60000));
-$CONF['setup_password'] = $PFA_SALT.':'.sha1($PFA_SALT.':'.($_ENV['PFA_SETUP_PASS'] ? $_ENV['PFA_SETUP_PASS'] : $_ENV['PFA_DB_PASS']));
+# SHA1 encoding is obsolete since 3.3
+#$CONF['setup_password'] = $PFA_SALT.':'.sha1($PFA_SALT.':'.($_ENV['PFA_SETUP_PASS'] ? $_ENV['PFA_SETUP_PASS'] : $_ENV['PFA_DB_PASS']));
+# New password hashing since 3.3
+$CONF['setup_password'] = password_hash(($_ENV['PFA_SETUP_PASS'] ? $_ENV['PFA_SETUP_PASS'] : $_ENV['PFA_DB_PASS']), PASSWORD_DEFAULT);
 
 // Language config
 // Language files are located in './languages', change as required..