fix: Update video_password handling to support bcrypt hashes and improve security

https://github.com/WWBN/AVideo/security/advisories/GHSA-363v-5rh8-23wg#event-592859

Author: Daniel Neto

install/checkConfiguration.php

@@ -24,7 +24,7 @@
 }
 
 
-$installationVersion = "28.0";
+$installationVersion = "29.0";
 
 require_once '../objects/functionsSecurity.php';
 

install/database.sql

@@ -169,7 +169,7 @@ CREATE TABLE IF NOT EXISTS `videos` (
   `only_for_paid` TINYINT(1) NULL DEFAULT NULL,
   `serie_playlists_id` INT(11) NULL DEFAULT NULL,
   `sites_id` INT(11) NULL DEFAULT NULL,
-  `video_password` VARCHAR(45) NULL DEFAULT NULL,
+  `video_password` VARCHAR(255) NULL DEFAULT NULL,
   `encoderURL` VARCHAR(255) NULL DEFAULT NULL,
   `filepath` VARCHAR(255) NULL DEFAULT NULL,
   `filesize` BIGINT(19) UNSIGNED NULL DEFAULT 0,

objects/functions.php

@@ -6264,8 +6264,13 @@ function outputAndContinueInBackground($msg = '')
 function cleanUpRowFromDatabase(&$row)
 {
     if (is_array($row)) {
+        // Convert video_password to a presence flag before stripping it,
+        // so callers never receive the stored hash.
+        if (array_key_exists('video_password', $row)) {
+            $row['video_password'] = empty($row['video_password']) ? '' : '1';
+        }
         foreach ($row as $key => $value) {
-            if (preg_match('/pass/i', $key)) {
+            if ($key !== 'video_password' && preg_match('/pass/i', $key)) {
                 unset($row[$key]);
             }
         }

objects/video.php

@@ -111,6 +111,9 @@ class Video extends ObjectYPT
         const ASPECT_RATIO_VERTICAL = '9:16';
         const ASPECT_RATIO_HORIZONTAL = '16:9';
 
+        /** Sentinel value: tells setVideo_password() to leave the stored password unchanged. */
+        const PASSWORD_KEEP = '__keep__';
+
 
         const SORT_TYPE_CHANNELSUGGESTED = 'channelSuggested';
         const SORT_TYPE_SUGGESTED = 'suggested';
@@ -520,10 +523,44 @@ public function getVideo_password()
             return trim($this->video_password);
         }
 
+        /**
+         * Returns a bcrypt hash of the given plaintext password.
+         * Already-hashed values (bcrypt prefix '$2') are returned as-is.
+         * Empty string is returned unchanged (means "no password").
+         */
+        public static function hashVideoPassword(string $plaintext): string
+        {
+            if ($plaintext === '' || substr($plaintext, 0, 2) === '$2') {
+                return $plaintext;
+            }
+            return password_hash($plaintext, PASSWORD_BCRYPT);
+        }
+
+        /**
+         * Verifies a plaintext password against the stored value.
+         * Handles both bcrypt hashes (modern) and legacy plaintext (backward-compat).
+         */
+        public static function verifyVideoPassword(string $entered, string $stored): bool
+        {
+            if ($stored === '') {
+                return true;
+            }
+            if (substr($stored, 0, 2) === '$2') {
+                return password_verify($entered, $stored);
+            }
+            // Legacy plaintext — direct comparison until owner re-saves
+            return $entered === $stored;
+        }
+
         public function setVideo_password($video_password)
         {
+            $video_password = trim($video_password);
+            if ($video_password === self::PASSWORD_KEEP) {
+                return;
+            }
+            $video_password = self::hashVideoPassword($video_password);
             AVideoPlugin::onVideoSetVideo_password($this->id, $this->video_password, $video_password);
-            $this->video_password = trim($video_password);
+            $this->video_password = $video_password;
         }
 
         public function save($updateVideoGroups = false, $allowOfflineUser = false)
@@ -2289,17 +2326,7 @@ static function getInfo($row, $getStatistcs = false)
                 if (!empty($obj['userExternalOptions']) && is_string($obj['userExternalOptions'])) {
                     $obj['userExternalOptions'] = User::decodeExternalOption($obj['userExternalOptions']);
                 }
-                $obj = cleanUpRowFromDatabase($obj);
-
-                if (!self::canEdit($obj['id'])) {
-                    if (!empty($rowOriginal['video_password'])) {
-                        $obj['video_password'] = '1';
-                    } else {
-                        $obj['video_password'] = '0';
-                    }
-                } else {
-                    $obj['video_password'] = empty($rowOriginal['video_password']) ? '' : $rowOriginal['video_password'];
-                }
+                $obj = cleanUpRowFromDatabase($obj); // video_password is reduced to '' / '1' flag inside
                 if (self::forceAudio()) {
                     $obj['type'] = 'audio';
                 } else if (self::forceArticle()) {
@@ -2403,16 +2430,7 @@ static function getInfoPersonal($row)
                 return object_to_array($cache);
             }
 
-            $row = cleanUpRowFromDatabase($row);
-            if (!self::canEdit($row['id'])) {
-                if (!empty($rowOriginal['video_password'])) {
-                    $row['video_password'] = '1';
-                } else {
-                    $row['video_password'] = '0';
-                }
-            } else {
-                $row['video_password'] = empty($rowOriginal['video_password']) ? '' : $rowOriginal['video_password'];
-            }
+            $row = cleanUpRowFromDatabase($row); // video_password is reduced to '' / '1' flag inside
             TimeLogEnd($timeLogName, __LINE__, $TimeLogLimit);
             $row['isFavorite'] = self::isFavorite($row['id']);
             TimeLogEnd($timeLogName, __LINE__, $TimeLogLimit);

plugin/CustomizeUser/CustomizeUser.php

@@ -796,20 +796,21 @@ public function getModeYouTube($videos_id)
     public static function videoPasswordIsGood($videos_id)
     {
         $video = new Video("", "", $videos_id);
-        $videoPassword = $video->getVideo_password();
-        if (empty($videoPassword)) {
+        $storedHash = $video->getVideo_password();
+        if (empty($storedHash)) {
             return true;
         }
-        //var_dump($_REQUEST['video_password'], $videoPassword);exit;
-        if (empty($_SESSION['video_password'][$videos_id]) || $videoPassword !== $_SESSION['video_password'][$videos_id]) {
-            if (!empty($_REQUEST['video_password']) && $_REQUEST['video_password'] == $videoPassword) {
-                _session_start();
-                $_SESSION['video_password'][$videos_id] = $_REQUEST['video_password'];
-                return true;
-            }
-            return false;
+        // Session token is derived from the stored hash so it auto-invalidates when the password changes
+        $sessionToken = hash('sha256', $storedHash);
+        if (!empty($_SESSION['video_password_token'][$videos_id]) && $_SESSION['video_password_token'][$videos_id] === $sessionToken) {
+            return true;
         }
-        return true;
+        if (!empty($_REQUEST['video_password']) && Video::verifyVideoPassword($_REQUEST['video_password'], $storedHash)) {
+            _session_start();
+            $_SESSION['video_password_token'][$videos_id] = $sessionToken;
+            return true;
+        }
+        return false;
     }
 
     public function getEmbed($videos_id)

updatedb/updateDb.v29.0.sql

@@ -0,0 +1,14 @@
+SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0;
+SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0;
+SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='TRADITIONAL,ALLOW_INVALID_DATES';
+
+-- Expand video_password to hold bcrypt hashes (60 chars); VARCHAR(255) future-proofs
+-- against longer algorithm outputs per PHP password_hash() documentation.
+ALTER TABLE `videos`
+MODIFY COLUMN `video_password` VARCHAR(255) NULL DEFAULT NULL;
+
+UPDATE configurations SET version = '29.0', modified = now() WHERE id = 1;
+
+SET SQL_MODE=@OLD_SQL_MODE;
+SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS;
+SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS;

view/managerVideos_body.php

@@ -685,6 +685,7 @@
     var isArticle = 0;
     var checkProgressTimeout = [];
     var filterDateRange = '';
+    var VIDEO_PASSWORD_KEEP = <?php echo json_encode(Video::PASSWORD_KEEP); ?>;
 
 
     function saveVideoOnPlaylist(videos_id, add, playlists_id) {
@@ -944,7 +945,9 @@ function editVideo(row) {
 
         $('#inputVideoId').val(row.id);
         $('#inputTitle').val(row.title);
-        $('#inputVideoPassword').val(row.video_password);
+        // video_password is a flag ('1'/''): never pre-populate the field with the stored hash
+        $('#inputVideoPassword').val('').data('hasPassword', row.video_password === '1' || row.video_password === 1);
+        // VIDEO_PASSWORD_KEEP is the PHP constant Video::PASSWORD_KEEP passed to JS below
         $('#videoStatus').val(row.status);
         $('#inputTrailer').val(row.trailer1);
         $('#inputCleanTitle').val(row.clean_title);
@@ -1190,7 +1193,7 @@ function saveVideo(closeModal) {
                 ?> "id": $('#inputVideoId').val(),
                 "title": $('#inputTitle').val(),
                 "trailer1": $('#inputTrailer').val(),
-                "video_password": $('#inputVideoPassword').val(),
+                "video_password": ($('#inputVideoPassword').val() !== '') ? $('#inputVideoPassword').val() : ($('#inputVideoPassword').data('hasPassword') ? VIDEO_PASSWORD_KEEP : ''),
                 "videoStatus": $('#videoStatus').val(),
                 "videoLink": $('#videoLink').val(),
                 "epg_link": $('#epg_link').val(),