diff options
Diffstat (limited to 'phpBB/phpbb/passwords/driver')
| -rw-r--r-- | phpBB/phpbb/passwords/driver/bcrypt.php | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/phpBB/phpbb/passwords/driver/bcrypt.php b/phpBB/phpbb/passwords/driver/bcrypt.php index 2f6cc1b381..e29379a36f 100644 --- a/phpBB/phpbb/passwords/driver/bcrypt.php +++ b/phpBB/phpbb/passwords/driver/bcrypt.php @@ -41,6 +41,16 @@ class bcrypt extends \phpbb\passwords\driver\base // Revert to 2a if this is the case $prefix = (!$this->is_supported()) ? '$2a$' : $this->get_prefix(); + // Do not support 8-bit characters with $2a$ bcrypt + // Also see http://www.php.net/security/crypt_blowfish.php + if ($prefix === self::PREFIX) + { + if (ord($password[strlen($password)-1]) & 128) + { + return false; + } + } + if ($salt == '') { $salt = $prefix . '10$' . $this->get_random_salt(); |