diff options
author | Marc Alexander <admin@m-a-styles.de> | 2014-05-01 14:21:24 +0200 |
---|---|---|
committer | Marc Alexander <admin@m-a-styles.de> | 2014-06-01 21:31:04 +0200 |
commit | ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2 (patch) | |
tree | 8cb56984ad7197d0a380432c890abe4f002047d3 | |
parent | 2ea45a06e724dfe9c3248fbb659d86558b55265e (diff) | |
download | forums-ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2.tar forums-ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2.tar.gz forums-ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2.tar.bz2 forums-ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2.tar.xz forums-ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2.zip |
[ticket/12352] Introduce user row to passwords check methods
This will ensure that legacy hash types that might need the user row can
properly check if the supplied password is correct.
PHPBB3-12352
-rw-r--r-- | phpBB/phpbb/passwords/driver/bcrypt.php | 2 | ||||
-rw-r--r-- | phpBB/phpbb/passwords/driver/driver_interface.php | 3 | ||||
-rw-r--r-- | phpBB/phpbb/passwords/driver/salted_md5.php | 2 | ||||
-rw-r--r-- | phpBB/phpbb/passwords/manager.php | 22 |
4 files changed, 24 insertions, 5 deletions
diff --git a/phpBB/phpbb/passwords/driver/bcrypt.php b/phpBB/phpbb/passwords/driver/bcrypt.php index 3edf7255c0..de5840c7cf 100644 --- a/phpBB/phpbb/passwords/driver/bcrypt.php +++ b/phpBB/phpbb/passwords/driver/bcrypt.php @@ -60,7 +60,7 @@ class bcrypt extends base /** * @inheritdoc */ - public function check($password, $hash) + public function check($password, $hash, $user_row = array()) { $salt = substr($hash, 0, 29); if (strlen($salt) != 29) diff --git a/phpBB/phpbb/passwords/driver/driver_interface.php b/phpBB/phpbb/passwords/driver/driver_interface.php index d38681b75f..a257e71f23 100644 --- a/phpBB/phpbb/passwords/driver/driver_interface.php +++ b/phpBB/phpbb/passwords/driver/driver_interface.php @@ -51,10 +51,11 @@ interface driver_interface * * @param string $password The password to check * @param string $hash The password hash to check against + * @param string $user_row User's row in users table * * @return bool True if password is correct, else false */ - public function check($password, $hash); + public function check($password, $hash, $user_row = array()); /** * Get only the settings of the specified hash diff --git a/phpBB/phpbb/passwords/driver/salted_md5.php b/phpBB/phpbb/passwords/driver/salted_md5.php index a9f6712751..22e2557518 100644 --- a/phpBB/phpbb/passwords/driver/salted_md5.php +++ b/phpBB/phpbb/passwords/driver/salted_md5.php @@ -92,7 +92,7 @@ class salted_md5 extends base /** * @inheritdoc */ - public function check($password, $hash) + public function check($password, $hash, $user_row = array()) { if (strlen($hash) !== 34) { diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 8b16cf55dd..66ca335d45 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -141,7 +141,7 @@ class manager */ if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match)) { - return $this->get_algorithm('$H$'); + return false; } // Be on the lookout for multiple hashing algorithms @@ -224,9 +224,10 @@ class manager * * @param string $password Password that should be checked * @param string $hash Stored hash + * @param array $user_row User's row in users table * @return string|bool True if password is correct, false if not */ - public function check($password, $hash) + public function check($password, $hash, $user_row = array()) { if (strlen($password) > 4096) { @@ -235,10 +236,27 @@ class manager return false; } + // Empty hashes can't be checked + if (empty($hash)) + { + return false; + } + // First find out what kind of hash we're dealing with $stored_hash_type = $this->detect_algorithm($hash); if ($stored_hash_type == false) { + // Might be a legacy hash type. Check all legacy + // hash types and set convert flag to true if password + // is correct + foreach ($this->type_map as $algorithm) + { + if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) + { + $this->convert_flag = true; + return true; + } + } return false; } |