diff options
| author | Marc Alexander <admin@m-a-styles.de> | 2013-06-15 12:11:51 +0200 |
|---|---|---|
| committer | Marc Alexander <admin@m-a-styles.de> | 2013-09-14 13:52:09 +0200 |
| commit | f8bcf99c7fe0b20f447e502cf2cb5b3d0648f68a (patch) | |
| tree | b82e6f5bafaae5b22f859a3b83405d22059fd08e | |
| parent | 8795fe9c77d634cb99d6f1f30a0022a6ba972785 (diff) | |
| download | forums-f8bcf99c7fe0b20f447e502cf2cb5b3d0648f68a.tar forums-f8bcf99c7fe0b20f447e502cf2cb5b3d0648f68a.tar.gz forums-f8bcf99c7fe0b20f447e502cf2cb5b3d0648f68a.tar.bz2 forums-f8bcf99c7fe0b20f447e502cf2cb5b3d0648f68a.tar.xz forums-f8bcf99c7fe0b20f447e502cf2cb5b3d0648f68a.zip | |
[feature/passwords] Do not support 8-bit characters with $2a$ bcrypt
8-bit unicode characters might reduce the security of the password hash
when using the $2a$ bcrypt prefix. Those types of characters are usually
not used in passwords but we should prevent this possible issue anyway.
PHPBB3-11610
| -rw-r--r-- | phpBB/includes/crypto/manager.php | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/phpBB/includes/crypto/manager.php b/phpBB/includes/crypto/manager.php index 1f6ba78666..93b99743d1 100644 --- a/phpBB/includes/crypto/manager.php +++ b/phpBB/includes/crypto/manager.php @@ -154,20 +154,26 @@ class phpbb_crypto_manager * @param string $password Password that should be hashed * @param string $type Hash type. Will default to standard hash type if * none is supplied - * @return string Password hash of supplied password + * @return string|bool Password hash of supplied password or false if + * if something went wrong during hashing * * @throws RunTimeException If hash type is not supported */ public function hash_password($password, $type = '') { - if ($type === '') - { - return $this->container->get($this->type)->hash($password); - } - else + $type = ($type === '') ? $this->type : $type; + + $hashing_algorithm = $this->container->get($type); + // Do not support 8-bit characters with $2a$ bcrypt + if ($type === 'crypto.driver.bcrypt' || ($type === 'crypto.driver.bcrypt_2y' && !$hashing_algorithm->is_supported())) { - return $this->container->get($type)->hash($password); + if (ord($password[strlen($password)-1]) & 128) + { + return false; + } } + + return $this->container->get($type)->hash($password); } public function check_hash($password, $hash) |