From 625d8282af5a4da4b6d5c9a31e542680acd5e7b3 Mon Sep 17 00:00:00 2001
From: Philipp Sehmisch <crush@themanaworld.org>
Date: Fri, 4 Dec 2009 22:16:26 +0100
Subject: Moved password hashing during registration to the client

---
 src/net/manaserv/loginhandler.cpp | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/net/manaserv/loginhandler.cpp b/src/net/manaserv/loginhandler.cpp
index bd29d1d9..9abef806 100644
--- a/src/net/manaserv/loginhandler.cpp
+++ b/src/net/manaserv/loginhandler.cpp
@@ -421,10 +421,8 @@ void LoginHandler::registerAccount(LoginData *loginData)
 
     msg.writeInt32(0); // client version
     msg.writeString(loginData->username);
-    // When registering, the password and email hash is assumed by server.
-    // Hence, data can be validated safely server-side.
-    // This is the only time we send a clear password.
-    msg.writeString(loginData->password);
+    // Use a hashed password for privacy reasons
+    msg.writeString(sha256(loginData->username + loginData->password));
     msg.writeString(loginData->email);
     msg.writeString(loginData->captchaResponse);
 
-- 
cgit v1.2.3-70-g09d2