diff options
| -rw-r--r-- | build/build.xml | 20 | ||||
| -rwxr-xr-x | build/build_diff.php | 3 | ||||
| -rwxr-xr-x | build/package.php | 12 | ||||
| -rw-r--r-- | phpBB/docs/CHANGELOG.html | 1 | ||||
| -rw-r--r-- | phpBB/includes/functions.php | 7 | ||||
| -rw-r--r-- | tests/security/hash_test.php | 8 |
6 files changed, 35 insertions, 16 deletions
diff --git a/build/build.xml b/build/build.xml index 7b87830da3..f0962e67eb 100644 --- a/build/build.xml +++ b/build/build.xml @@ -3,7 +3,7 @@ <project name="phpBB" description="The phpBB forum software" default="all" basedir="../"> <!-- a few settings for the build --> <property name="newversion" value="3.0.13-dev" /> - <property name="prevversion" value="3.0.12-RC3" /> + <property name="prevversion" value="3.0.12" /> <property name="olderversions" value="3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.7-PL1, 3.0.8, 3.0.9, 3.0.10, 3.0.11" /> <!-- no configuration should be needed beyond this point --> @@ -149,6 +149,24 @@ <exec dir="build" escape="false" command="git diff --stat release-${prevversion}...HEAD > save/save_${prevversion}_to_${newversion}/phpbb-${prevversion}_to_${newversion}_git_diffstat.txt" /> + + <phingcall target="checksum-dir"> + <property name="dir" value="build/new_version/release_files" /> + </phingcall> + </target> + + <target name="checksum-dir"> + <foreach param="filename" absparam="absfilename" target="checksum-file"> + <fileset dir="${dir}"> + <type type="file" /> + </fileset> + </foreach> + </target> + + <target name="checksum-file"> + <echo msg="Creating checksum file for ${absfilename}" /> + <php function="dirname" returnProperty="dir"><param value="${absfilename}"/></php> + <exec dir="${dir}" command="sha256sum ${filename} > ${filename}.sha256" /> </target> <target name="changelog" depends="prepare"> diff --git a/build/build_diff.php b/build/build_diff.php index 0824b53caa..d264ecf493 100755 --- a/build/build_diff.php +++ b/build/build_diff.php @@ -83,9 +83,6 @@ if (!$echo_changes) // Build Package run_command("$compress_command ./../../new_version/release_files/{$code_changes_filename}.{$extension} *"); - - // Build MD5 Sum - run_command("md5sum ./../../new_version/release_files/{$code_changes_filename}.{$extension} > ./../../new_version/release_files/{$code_changes_filename}.{$extension}.md5"); flush(); } } diff --git a/build/package.php b/build/package.php index 48f42b3572..22ea4e52af 100755 --- a/build/package.php +++ b/build/package.php @@ -285,9 +285,6 @@ if (sizeof($package->old_packages)) // Build Package $package->run_command($compress_command . ' ../release_files/' . $package->get('release_filename') . '-patch.' . $extension . ' *'); - - // Build MD5 Sum - $package->run_command('md5sum ../release_files/' . $package->get('release_filename') . '-patch.' . $extension . ' > ../release_files/' . $package->get('release_filename') . '-patch.' . $extension . '.md5'); } // Build Files Package @@ -319,8 +316,6 @@ if (sizeof($package->old_packages)) chdir('./release'); $package->run_command("$compress_command ../../release_files/" . $package->get('release_filename') . '-files.' . $extension . ' *'); - // Build MD5 Sum - $package->run_command('md5sum ../../release_files/' . $package->get('release_filename') . '-files.' . $extension . ' > ../../release_files/' . $package->get('release_filename') . '-files.' . $extension . '.md5'); chdir('..'); $package->run_command('rm -Rv ' . $package->get('files_directory') . '/release'); @@ -363,9 +358,6 @@ if (sizeof($package->old_packages)) // Copy last package over... $package->run_command('rm -v ../release_files/phpBB-' . $last_version . ".$extension"); $package->run_command("$compress_command ../../release_files/phpBB-$last_version.$extension *"); - - // Build MD5 Sum - $package->run_command("md5sum ../../release_files/phpBB-$last_version.$extension > ../../release_files/phpBB-$last_version.$extension.md5"); chdir('..'); } @@ -388,9 +380,6 @@ foreach ($compress_programs as $extension => $compress_command) // Build Package $package->run_command("$compress_command ./release_files/" . $package->get('release_filename') . '.' . $extension . ' ' . $package->get('package_name')); - - // Build MD5 Sum - $package->run_command('md5sum ./release_files/' . $package->get('release_filename') . '.' . $extension . ' > ./release_files/' . $package->get('release_filename') . '.' . $extension . '.md5'); } // Microsoft Web PI packaging @@ -398,7 +387,6 @@ $package->begin_status('Packaging phpBB for Microsoft WebPI'); $file = './release_files/' . $package->get('release_filename') . '.webpi.zip'; $package->run_command('cp -p ./release_files/' . $package->get('release_filename') . ".zip $file"); $package->run_command('cd ./../webpi && ' . $compress_programs['zip'] . " ./../new_version/$file *"); -$package->run_command("md5sum $file > $file.md5"); // verify results chdir($package->locations['root']); diff --git a/phpBB/docs/CHANGELOG.html b/phpBB/docs/CHANGELOG.html index 6d8b39d524..71795f83ac 100644 --- a/phpBB/docs/CHANGELOG.html +++ b/phpBB/docs/CHANGELOG.html @@ -218,6 +218,7 @@ <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11368">PHPBB3-11368</a>] - Latest pm reports row count</li> <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11583">PHPBB3-11583</a>] - InnoDB supports FULLTEXT index since MySQL 5.6.4.</li> <li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11740">PHPBB3-11740</a>] - Update link in FAQ to Ideas Centre</li> +<li>[<a href="http://tracker.phpbb.com/browse/PHPBB3-11873">PHPBB3-11873</a>] - Prevent expensive hash computation in phpbb_check_hash() by rejecting very long passwords</li> </ul> <h4>Sub-task</h4> <ul> diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index b2b12c1445..eef4ade4e7 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -502,6 +502,13 @@ function phpbb_hash($password) */ function phpbb_check_hash($password, $hash) { + if (strlen($password) > 4096) + { + // If the password is too huge, we will simply reject it + // and not let the server try to hash it. + return false; + } + $itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; if (strlen($hash) == 34) { diff --git a/tests/security/hash_test.php b/tests/security/hash_test.php index 0c2580c19b..e226365ef3 100644 --- a/tests/security/hash_test.php +++ b/tests/security/hash_test.php @@ -17,5 +17,13 @@ class phpbb_security_hash_test extends phpbb_test_case $this->assertTrue(phpbb_check_hash('test', '$P$9isfrtKXWqrz8PvztXlL3.daw4U0zI1')); $this->assertFalse(phpbb_check_hash('foo', '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1')); } + + public function test_check_hash_with_large_input() + { + // 16 MB password, should be rejected quite fast + $start_time = time(); + $this->assertFalse(phpbb_check_hash(str_repeat('a', 1024 * 1024 * 16), '$H$9isfrtKXWqrz8PvztXlL3.daw4U0zI1')); + $this->assertLessThanOrEqual(5, time() - $start_time); + } } |