aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarc Alexander <admin@m-a-styles.de>2014-05-01 14:21:24 +0200
committerMarc Alexander <admin@m-a-styles.de>2014-06-01 21:31:04 +0200
commitee72e7b3ad31d60fa1189c6d852f2134ab37f7f2 (patch)
tree8cb56984ad7197d0a380432c890abe4f002047d3
parent2ea45a06e724dfe9c3248fbb659d86558b55265e (diff)
downloadforums-ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2.tar
forums-ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2.tar.gz
forums-ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2.tar.bz2
forums-ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2.tar.xz
forums-ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2.zip
[ticket/12352] Introduce user row to passwords check methods
This will ensure that legacy hash types that might need the user row can properly check if the supplied password is correct. PHPBB3-12352
-rw-r--r--phpBB/phpbb/passwords/driver/bcrypt.php2
-rw-r--r--phpBB/phpbb/passwords/driver/driver_interface.php3
-rw-r--r--phpBB/phpbb/passwords/driver/salted_md5.php2
-rw-r--r--phpBB/phpbb/passwords/manager.php22
4 files changed, 24 insertions, 5 deletions
diff --git a/phpBB/phpbb/passwords/driver/bcrypt.php b/phpBB/phpbb/passwords/driver/bcrypt.php
index 3edf7255c0..de5840c7cf 100644
--- a/phpBB/phpbb/passwords/driver/bcrypt.php
+++ b/phpBB/phpbb/passwords/driver/bcrypt.php
@@ -60,7 +60,7 @@ class bcrypt extends base
/**
* @inheritdoc
*/
- public function check($password, $hash)
+ public function check($password, $hash, $user_row = array())
{
$salt = substr($hash, 0, 29);
if (strlen($salt) != 29)
diff --git a/phpBB/phpbb/passwords/driver/driver_interface.php b/phpBB/phpbb/passwords/driver/driver_interface.php
index d38681b75f..a257e71f23 100644
--- a/phpBB/phpbb/passwords/driver/driver_interface.php
+++ b/phpBB/phpbb/passwords/driver/driver_interface.php
@@ -51,10 +51,11 @@ interface driver_interface
*
* @param string $password The password to check
* @param string $hash The password hash to check against
+ * @param string $user_row User's row in users table
*
* @return bool True if password is correct, else false
*/
- public function check($password, $hash);
+ public function check($password, $hash, $user_row = array());
/**
* Get only the settings of the specified hash
diff --git a/phpBB/phpbb/passwords/driver/salted_md5.php b/phpBB/phpbb/passwords/driver/salted_md5.php
index a9f6712751..22e2557518 100644
--- a/phpBB/phpbb/passwords/driver/salted_md5.php
+++ b/phpBB/phpbb/passwords/driver/salted_md5.php
@@ -92,7 +92,7 @@ class salted_md5 extends base
/**
* @inheritdoc
*/
- public function check($password, $hash)
+ public function check($password, $hash, $user_row = array())
{
if (strlen($hash) !== 34)
{
diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php
index 8b16cf55dd..66ca335d45 100644
--- a/phpBB/phpbb/passwords/manager.php
+++ b/phpBB/phpbb/passwords/manager.php
@@ -141,7 +141,7 @@ class manager
*/
if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match))
{
- return $this->get_algorithm('$H$');
+ return false;
}
// Be on the lookout for multiple hashing algorithms
@@ -224,9 +224,10 @@ class manager
*
* @param string $password Password that should be checked
* @param string $hash Stored hash
+ * @param array $user_row User's row in users table
* @return string|bool True if password is correct, false if not
*/
- public function check($password, $hash)
+ public function check($password, $hash, $user_row = array())
{
if (strlen($password) > 4096)
{
@@ -235,10 +236,27 @@ class manager
return false;
}
+ // Empty hashes can't be checked
+ if (empty($hash))
+ {
+ return false;
+ }
+
// First find out what kind of hash we're dealing with
$stored_hash_type = $this->detect_algorithm($hash);
if ($stored_hash_type == false)
{
+ // Might be a legacy hash type. Check all legacy
+ // hash types and set convert flag to true if password
+ // is correct
+ foreach ($this->type_map as $algorithm)
+ {
+ if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true)
+ {
+ $this->convert_flag = true;
+ return true;
+ }
+ }
return false;
}