aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarc Alexander <admin@m-a-styles.de>2014-10-22 14:54:55 -0500
committerMarc Alexander <admin@m-a-styles.de>2014-10-22 14:54:55 -0500
commit0bc04a4df098da1fd8fe6e272ebf877ae15b7032 (patch)
tree8a71d60ef5bee7092c97c2faaab33a8340d1348b
parent2b47ef1266a04ae0bf692a1568687968e8e2b827 (diff)
downloadforums-0bc04a4df098da1fd8fe6e272ebf877ae15b7032.tar
forums-0bc04a4df098da1fd8fe6e272ebf877ae15b7032.tar.gz
forums-0bc04a4df098da1fd8fe6e272ebf877ae15b7032.tar.bz2
forums-0bc04a4df098da1fd8fe6e272ebf877ae15b7032.tar.xz
forums-0bc04a4df098da1fd8fe6e272ebf877ae15b7032.zip
[ticket/13203] Use string_compare method in passwords drivers
PHPBB3-13203
-rw-r--r--phpBB/config/password.yml1
-rw-r--r--phpBB/phpbb/passwords/driver/bcrypt.php2
-rw-r--r--phpBB/phpbb/passwords/driver/bcrypt_wcf2.php2
-rw-r--r--phpBB/phpbb/passwords/driver/md5_mybb.php2
-rw-r--r--phpBB/phpbb/passwords/driver/md5_phpbb2.php9
-rw-r--r--phpBB/phpbb/passwords/driver/md5_vb.php2
-rw-r--r--phpBB/phpbb/passwords/driver/salted_md5.php2
-rw-r--r--phpBB/phpbb/passwords/driver/sha1.php2
-rw-r--r--phpBB/phpbb/passwords/driver/sha1_smf.php2
-rw-r--r--phpBB/phpbb/passwords/driver/sha1_wcf1.php2
-rw-r--r--phpBB/phpbb/passwords/driver/sha_xf1.php4
-rw-r--r--tests/passwords/drivers_test.php2
12 files changed, 19 insertions, 13 deletions
diff --git a/phpBB/config/password.yml b/phpBB/config/password.yml
index 09e935016e..cb45ec3d42 100644
--- a/phpBB/config/password.yml
+++ b/phpBB/config/password.yml
@@ -101,6 +101,7 @@ services:
arguments:
- @request
- @passwords.driver.salted_md5
+ - @passwords.driver_helper
- %core.root_path%
- %core.php_ext%
tags:
diff --git a/phpBB/phpbb/passwords/driver/bcrypt.php b/phpBB/phpbb/passwords/driver/bcrypt.php
index 23add37a56..eab1c3d569 100644
--- a/phpBB/phpbb/passwords/driver/bcrypt.php
+++ b/phpBB/phpbb/passwords/driver/bcrypt.php
@@ -68,7 +68,7 @@ class bcrypt extends base
return false;
}
- if ($hash == $this->hash($password, $salt))
+ if ($this->helper->string_compare($hash, $this->hash($password, $salt)))
{
return true;
}
diff --git a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php
index 2d6f897a7b..0eee98d7b7 100644
--- a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php
+++ b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php
@@ -78,7 +78,7 @@ class bcrypt_wcf2 extends base
return false;
}
// Works for standard WCF 2.x, i.e. WBB4 and similar
- return $hash === $this->bcrypt->hash($this->bcrypt->hash($password, $salt), $salt);
+ return $this->helper->string_compare($hash, $this->bcrypt->hash($this->bcrypt->hash($password, $salt), $salt));
}
}
}
diff --git a/phpBB/phpbb/passwords/driver/md5_mybb.php b/phpBB/phpbb/passwords/driver/md5_mybb.php
index 61ea8dafd8..f631ceae78 100644
--- a/phpBB/phpbb/passwords/driver/md5_mybb.php
+++ b/phpBB/phpbb/passwords/driver/md5_mybb.php
@@ -54,7 +54,7 @@ class md5_mybb extends base
else
{
// Works for myBB 1.1.x, 1.2.x, 1.4.x, 1.6.x
- return $hash === md5(md5($user_row['user_passwd_salt']) . md5($password));
+ return $this->helper->string_compare($hash, md5(md5($user_row['user_passwd_salt']) . md5($password)));
}
}
}
diff --git a/phpBB/phpbb/passwords/driver/md5_phpbb2.php b/phpBB/phpbb/passwords/driver/md5_phpbb2.php
index 86a4b62ea5..bd8cc51e5a 100644
--- a/phpBB/phpbb/passwords/driver/md5_phpbb2.php
+++ b/phpBB/phpbb/passwords/driver/md5_phpbb2.php
@@ -23,6 +23,9 @@ class md5_phpbb2 extends base
/** @var \phpbb\passwords\driver\salted_md5 */
protected $salted_md5;
+ /** @var \phpbb\passwords\driver\helper */
+ protected $helper;
+
/** @var string phpBB root path */
protected $phpbb_root_path;
@@ -34,13 +37,15 @@ class md5_phpbb2 extends base
*
* @param \phpbb\request\request $request phpBB request object
* @param \phpbb\passwords\driver\salted_md5 $salted_md5 Salted md5 driver
+ * @param \phpbb\passwords\driver\helper $helper Driver helper
* @param string $phpbb_root_path phpBB root path
* @param string $php_ext PHP file extension
*/
- public function __construct($request, \phpbb\passwords\driver\salted_md5 $salted_md5, $phpbb_root_path, $php_ext)
+ public function __construct($request, salted_md5 $salted_md5, helper $helper, $phpbb_root_path, $php_ext)
{
$this->request = $request;
$this->salted_md5 = $salted_md5;
+ $this->helper = $helper;
$this->phpbb_root_path = $phpbb_root_path;
$this->php_ext = $php_ext;
}
@@ -105,7 +110,7 @@ class md5_phpbb2 extends base
include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext);
}
- if (md5($password_old_format) === $hash || md5(\utf8_to_cp1252($password_old_format)) === $hash
+ if ($this->helper->string_compare(md5($password_old_format), $hash) || $this->helper->string_compare(md5(\utf8_to_cp1252($password_old_format)), $hash)
|| $this->salted_md5->check(md5($password_old_format), $hash) === true
|| $this->salted_md5->check(md5(\utf8_to_cp1252($password_old_format)), $hash) === true)
{
diff --git a/phpBB/phpbb/passwords/driver/md5_vb.php b/phpBB/phpbb/passwords/driver/md5_vb.php
index c83c32a596..280b7114c7 100644
--- a/phpBB/phpbb/passwords/driver/md5_vb.php
+++ b/phpBB/phpbb/passwords/driver/md5_vb.php
@@ -54,7 +54,7 @@ class md5_vb extends base
else
{
// Works for vB 3.8.x, 4.x.x, 5.0.x
- return $hash === md5(md5($password) . $user_row['user_passwd_salt']);
+ return $this->helper->string_compare($hash, md5(md5($password) . $user_row['user_passwd_salt']));
}
}
}
diff --git a/phpBB/phpbb/passwords/driver/salted_md5.php b/phpBB/phpbb/passwords/driver/salted_md5.php
index 97a2b9154b..81ac010785 100644
--- a/phpBB/phpbb/passwords/driver/salted_md5.php
+++ b/phpBB/phpbb/passwords/driver/salted_md5.php
@@ -107,7 +107,7 @@ class salted_md5 extends base
return md5($password) === $hash;
}
- return $hash === $this->hash($password, $hash);
+ return $this->helper->string_compare($hash, $this->hash($password, $hash));
}
/**
diff --git a/phpBB/phpbb/passwords/driver/sha1.php b/phpBB/phpbb/passwords/driver/sha1.php
index 0852fd32fc..1abead42cd 100644
--- a/phpBB/phpbb/passwords/driver/sha1.php
+++ b/phpBB/phpbb/passwords/driver/sha1.php
@@ -47,6 +47,6 @@ class sha1 extends base
*/
public function check($password, $hash, $user_row = array())
{
- return (strlen($hash) == 40) ? $hash === sha1($password) : false;
+ return (strlen($hash) == 40) ? $this->helper->string_compare($hash, sha1($password)) : false;
}
}
diff --git a/phpBB/phpbb/passwords/driver/sha1_smf.php b/phpBB/phpbb/passwords/driver/sha1_smf.php
index ec64bd6afb..b30d87265e 100644
--- a/phpBB/phpbb/passwords/driver/sha1_smf.php
+++ b/phpBB/phpbb/passwords/driver/sha1_smf.php
@@ -46,6 +46,6 @@ class sha1_smf extends base
*/
public function check($password, $hash, $user_row = array())
{
- return (strlen($hash) == 40) ? $hash === $this->hash($password, $user_row) : false;
+ return (strlen($hash) == 40) ? $this->helper->string_compare($hash, $this->hash($password, $user_row)) : false;
}
}
diff --git a/phpBB/phpbb/passwords/driver/sha1_wcf1.php b/phpBB/phpbb/passwords/driver/sha1_wcf1.php
index 919fa2bb71..68006486c4 100644
--- a/phpBB/phpbb/passwords/driver/sha1_wcf1.php
+++ b/phpBB/phpbb/passwords/driver/sha1_wcf1.php
@@ -54,7 +54,7 @@ class sha1_wcf1 extends base
else
{
// Works for standard WCF 1.x, i.e. WBB3 and similar
- return $hash === sha1($user_row['user_passwd_salt'] . sha1($user_row['user_passwd_salt'] . sha1($password)));
+ return $this->helper->string_compare($hash, sha1($user_row['user_passwd_salt'] . sha1($user_row['user_passwd_salt'] . sha1($password))));
}
}
}
diff --git a/phpBB/phpbb/passwords/driver/sha_xf1.php b/phpBB/phpbb/passwords/driver/sha_xf1.php
index 7a1ea1450a..9d8f01796e 100644
--- a/phpBB/phpbb/passwords/driver/sha_xf1.php
+++ b/phpBB/phpbb/passwords/driver/sha_xf1.php
@@ -54,8 +54,8 @@ class sha_xf1 extends base
else
{
// Works for xenforo 1.0, 1.1
- if ($hash === sha1(sha1($password) . $user_row['user_passwd_salt'])
- || $hash === hash('sha256', hash('sha256', $password) . $user_row['user_passwd_salt']))
+ if ($this->helper->string_compare($hash, sha1(sha1($password) . $user_row['user_passwd_salt']))
+ || $this->helper->string_compare($hash, hash('sha256', hash('sha256', $password) . $user_row['user_passwd_salt'])))
{
return true;
}
diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php
index ccfb05c40f..5f9fd523c9 100644
--- a/tests/passwords/drivers_test.php
+++ b/tests/passwords/drivers_test.php
@@ -35,7 +35,7 @@ class phpbb_passwords_helper_test extends \phpbb_test_case
'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper),
'passwords.driver.sha_xf1' => new \phpbb\passwords\driver\sha_xf1($config, $this->driver_helper),
);
- $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext);
+ $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $this->driver_helper, $phpbb_root_path, $php_ext);
$this->passwords_drivers['passwords.driver.bcrypt_wcf2'] = new \phpbb\passwords\driver\bcrypt_wcf2($this->passwords_drivers['passwords.driver.bcrypt'], $this->driver_helper);
}