aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarc Alexander <admin@m-a-styles.de>2014-05-26 13:26:46 +0200
committerMarc Alexander <admin@m-a-styles.de>2014-06-01 21:31:04 +0200
commit60cb648ab0bd3cba627f9f1c020ace613e18f3d5 (patch)
treeebf8d60185e190006435f0fa5969d3572fb41a1c
parentf78b99dce4057dcb9125af940cb3ca369b2cce48 (diff)
downloadforums-60cb648ab0bd3cba627f9f1c020ace613e18f3d5.tar
forums-60cb648ab0bd3cba627f9f1c020ace613e18f3d5.tar.gz
forums-60cb648ab0bd3cba627f9f1c020ace613e18f3d5.tar.bz2
forums-60cb648ab0bd3cba627f9f1c020ace613e18f3d5.tar.xz
forums-60cb648ab0bd3cba627f9f1c020ace613e18f3d5.zip
[ticket/12352] Remove code for converting passwords in db auth provider
PHPBB3-12352
-rw-r--r--phpBB/phpbb/auth/provider/db.php67
-rw-r--r--phpBB/phpbb/passwords/manager.php4
2 files changed, 3 insertions, 68 deletions
diff --git a/phpBB/phpbb/auth/provider/db.php b/phpBB/phpbb/auth/provider/db.php
index d5a6b0452a..7307a697ae 100644
--- a/phpBB/phpbb/auth/provider/db.php
+++ b/phpBB/phpbb/auth/provider/db.php
@@ -170,73 +170,8 @@ class db extends \phpbb\auth\provider\base
}
- // If the password convert flag is set we need to convert it
- if ($row['user_pass_convert'])
- {
- // enable super globals to get literal value
- // this is needed to prevent unicode normalization
- $super_globals_disabled = $this->request->super_globals_disabled();
- if ($super_globals_disabled)
- {
- $this->request->enable_super_globals();
- }
-
- // in phpBB2 passwords were used exactly as they were sent, with addslashes applied
- $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
- $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
- $password_new_format = $this->request->variable('password', '', true);
-
- if ($super_globals_disabled)
- {
- $this->request->disable_super_globals();
- }
-
- if ($password == $password_new_format)
- {
- if (!function_exists('utf8_to_cp1252'))
- {
- include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext);
- }
-
- // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
- // plain md5 support left in for conversions from other systems.
- if ((strlen($row['user_password']) == 34 && ($this->passwords_manager->check(md5($password_old_format), $row['user_password']) || $this->passwords_manager->check(md5(utf8_to_cp1252($password_old_format)), $row['user_password'])))
- || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password']))
- || ($this->passwords_manager->check($password_old_format, $row['user_password']) || $this->passwords_manager->check($password_new_format, $row['user_password'])))
- {
- $hash = $this->passwords_manager->hash($password_new_format);
-
- // Update the password in the users table to the new format and remove user_pass_convert flag
- $sql = 'UPDATE ' . USERS_TABLE . '
- SET user_password = \'' . $this->db->sql_escape($hash) . '\',
- user_pass_convert = 0
- WHERE user_id = ' . $row['user_id'];
- $this->db->sql_query($sql);
-
- $row['user_pass_convert'] = 0;
- $row['user_password'] = $hash;
- }
- else
- {
- // Although we weren't able to convert this password we have to
- // increase login attempt count to make sure this cannot be exploited
- $sql = 'UPDATE ' . USERS_TABLE . '
- SET user_login_attempts = user_login_attempts + 1
- WHERE user_id = ' . (int) $row['user_id'] . '
- AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX;
- $this->db->sql_query($sql);
-
- return array(
- 'status' => LOGIN_ERROR_PASSWORD_CONVERT,
- 'error_msg' => 'LOGIN_ERROR_PASSWORD_CONVERT',
- 'user_row' => $row,
- );
- }
- }
- }
-
// Check password ...
- if (!$row['user_pass_convert'] && $this->passwords_manager->check($password, $row['user_password']))
+ if ($this->passwords_manager->check($password, $row['user_password']))
{
// Check for old password hash...
if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32)
diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php
index 7d46424e4d..0a349c4a14 100644
--- a/phpBB/phpbb/passwords/manager.php
+++ b/phpBB/phpbb/passwords/manager.php
@@ -268,10 +268,10 @@ class manager
$this->convert_flag = false;
}
+ // Check all legacy hash types if prefix is $CP$
if ($stored_hash_type->get_prefix() === '$CP$')
{
- // Check all legacy hash types for this hash. Remove
- // $CP$ prefix from beginning for proper checking.
+ // Remove $CP$ prefix for proper checking
$hash = substr($hash, 4);
foreach ($this->type_map as $algorithm)