diff options
| author | Henry Sudhof <kellanved@phpbb.com> | 2009-02-06 14:51:26 +0000 |
|---|---|---|
| committer | Henry Sudhof <kellanved@phpbb.com> | 2009-02-06 14:51:26 +0000 |
| commit | e5f0824e4b1f4215c0126edccc162aa1a7c6787d (patch) | |
| tree | aee1b15410b9509571cc6222f86cb3c3a6609dd9 /phpBB/includes | |
| parent | f0efebefd5d808e596334b056818319f46a43615 (diff) | |
| download | forums-e5f0824e4b1f4215c0126edccc162aa1a7c6787d.tar forums-e5f0824e4b1f4215c0126edccc162aa1a7c6787d.tar.gz forums-e5f0824e4b1f4215c0126edccc162aa1a7c6787d.tar.bz2 forums-e5f0824e4b1f4215c0126edccc162aa1a7c6787d.tar.xz forums-e5f0824e4b1f4215c0126edccc162aa1a7c6787d.zip | |
As proposed by marshalrusty: re-hash plain MD5s left in the database
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9312 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/includes')
| -rw-r--r-- | phpBB/includes/auth/auth_db.php | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index 1a5fd9e418..24d4c56614 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -141,7 +141,9 @@ function login_db(&$username, &$password) } // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding - if (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password']) + // plain md5 support left in for conversions from other systems. + if ((strlen($row['user_password']) == 34 && (phpbb_check_hash(md5($password_old_format), $row['user_password']) || phpbb_check_hash(md5(utf8_to_cp1252($password_old_format)), $row['user_password']))) + || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password']))) { $hash = phpbb_hash($password_new_format); @@ -155,7 +157,7 @@ function login_db(&$username, &$password) $row['user_pass_convert'] = 0; $row['user_password'] = $hash; } - else + else { // Although we weren't able to convert this password we have to // increase login attempt count to make sure this cannot be exploited |