From 2d6c6416489b7dc4f917fe95ca984f3a26ee1923 Mon Sep 17 00:00:00 2001
From: Basraah <basraah@users.noreply.github.com>
Date: Tue, 21 Feb 2017 14:20:12 +1000
Subject: [PATCH] IPS4 and Market PHP hash fix (#727)

Force bcrypt 2y for PHP apps

2b isn't supported by older versions of PHP supplied by e.g. Ubuntu
14.04. 2a is insecure.

Remove plaintext warning

No services store plaintext passwords anymore.

Switch form to password field
---
 services/forms.py                                | 2 +-
 services/modules/ips4/manager.py                 | 2 +-
 services/modules/market/manager.py               | 2 +-
 stock/templates/registered/service_password.html | 1 -
 4 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/services/forms.py b/services/forms.py
index c892563c..c3aa5113 100644
--- a/services/forms.py
+++ b/services/forms.py
@@ -22,7 +22,7 @@ class FleetFormatterForm(forms.Form):
 
 
 class ServicePasswordForm(forms.Form):
-    password = forms.CharField(label=_("Password"), required=True)
+    password = forms.CharField(label=_("Password"), required=True, widget=forms.PasswordInput())
 
     def clean_password(self):
         password = self.cleaned_data['password']
diff --git a/services/modules/ips4/manager.py b/services/modules/ips4/manager.py
index bcda4d44..ffbb8fc5 100644
--- a/services/modules/ips4/manager.py
+++ b/services/modules/ips4/manager.py
@@ -48,7 +48,7 @@ class Ips4Manager:
 
     @staticmethod
     def _gen_pwhash(password):
-        return bcrypt.using(ident='2a').encrypt(password.encode('utf-8'), rounds=13)
+        return bcrypt.using(ident='2y').encrypt(password.encode('utf-8'), rounds=13)
 
     @staticmethod
     def _get_salt(pw_hash):
diff --git a/services/modules/market/manager.py b/services/modules/market/manager.py
index 5938add2..f2aabea4 100644
--- a/services/modules/market/manager.py
+++ b/services/modules/market/manager.py
@@ -38,7 +38,7 @@ class MarketManager:
 
     @staticmethod
     def _gen_pwhash(password):
-        return bcrypt.encrypt(password.encode('utf-8'), rounds=13)
+        return bcrypt.using(ident='2y').encrypt(password.encode('utf-8'), rounds=13)
 
     @staticmethod
     def _get_salt(pw_hash):
diff --git a/stock/templates/registered/service_password.html b/stock/templates/registered/service_password.html
index 7ac2ea30..51632898 100644
--- a/stock/templates/registered/service_password.html
+++ b/stock/templates/registered/service_password.html
@@ -14,7 +14,6 @@
         <div class="container-fluid">
             <div class="col-md-4 col-md-offset-4">
                 <div class="row">
-                    <p>{% trans "Passwords are stored as plain text. Don't re-use another password." %}</p>
                     <form class="form-signin" role="form" action="" method="POST"
                           onsubmit="submitbutton.disabled = true; return true;">
                         {% csrf_token %}