diff options
| author | Nils Adermann <naderman@naderman.de> | 2014-06-11 14:27:57 +0200 |
|---|---|---|
| committer | Nils Adermann <naderman@naderman.de> | 2014-06-11 14:27:57 +0200 |
| commit | 694f8391c9d3a948159ea2564e6bf4c606eb4053 (patch) | |
| tree | a8aedc3999eb93513c7e6e8f1f83fbaa342feea5 /phpBB/phpbb/auth/provider/db.php | |
| parent | e1f371d14a0db43d4784bc047ad3929ec844697e (diff) | |
| parent | ac311e1b39f891ba3c137f6203981c491639bec3 (diff) | |
| download | forums-694f8391c9d3a948159ea2564e6bf4c606eb4053.tar forums-694f8391c9d3a948159ea2564e6bf4c606eb4053.tar.gz forums-694f8391c9d3a948159ea2564e6bf4c606eb4053.tar.bz2 forums-694f8391c9d3a948159ea2564e6bf4c606eb4053.tar.xz forums-694f8391c9d3a948159ea2564e6bf4c606eb4053.zip | |
Merge remote-tracking branch 'github-marc1706/ticket/12352' into develop-ascraeus
* github-marc1706/ticket/12352: (33 commits)
[ticket/12352] Do not check hashes that don't have the necessary length
[ticket/12352] Update file headers to fit new format
[ticket/12352] Use custom provider collection for auth providers
[ticket/12352] Add checks for existing user_pass_convert to migrations
[ticket/12352] Remove usages of user_pass_convert column
[ticket/12352] Update schema json file
[ticket/12352] Remove user_pass_convert column from database
[ticket/12352] Check each newly added passwords driver in manager_test
[ticket/12352] Add get_settings_only method to passwords driver base
[ticket/12352] Add passwords driver for xenforo 1.0, 1.1 passwords
[ticket/12352] Add tests for wcf1 and wcf2 drivers
[ticket/12352] Add driver for woltlab community framework 1 passwords
[ticket/12352] Add driver for woltlab community framework 2 passwords
[ticket/12352] Add missing $ to md5_mybb and md5_vb driver
[ticket/12352] Fix spacing in passwords tests
[ticket/12352] Add passwords driver for vB passwords
[ticket/12352] Use correct hashing method in md5_mybb driver
[ticket/12352] Add driver for myBB md5 passwords
[ticket/12352] Rename phpbb2_md5 driver to fit filenames of other drivers
[ticket/12352] Add passwords driver for sha1 password hashes
...
Diffstat (limited to 'phpBB/phpbb/auth/provider/db.php')
| -rw-r--r-- | phpBB/phpbb/auth/provider/db.php | 71 |
1 files changed, 3 insertions, 68 deletions
diff --git a/phpBB/phpbb/auth/provider/db.php b/phpBB/phpbb/auth/provider/db.php index 3be1d3873f..142a47247f 100644 --- a/phpBB/phpbb/auth/provider/db.php +++ b/phpBB/phpbb/auth/provider/db.php @@ -78,7 +78,7 @@ class db extends \phpbb\auth\provider\base $username_clean = utf8_clean_string($username); - $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts + $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type, user_login_attempts FROM ' . USERS_TABLE . " WHERE username_clean = '" . $this->db->sql_escape($username_clean) . "'"; $result = $this->db->sql_query($sql); @@ -170,72 +170,8 @@ class db extends \phpbb\auth\provider\base } - // If the password convert flag is set we need to convert it - if ($row['user_pass_convert']) - { - // enable super globals to get literal value - // this is needed to prevent unicode normalization - $super_globals_disabled = $this->request->super_globals_disabled(); - if ($super_globals_disabled) - { - $this->request->enable_super_globals(); - } - - // in phpBB2 passwords were used exactly as they were sent, with addslashes applied - $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : ''; - $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; - $password_new_format = $this->request->variable('password', '', true); - - if ($super_globals_disabled) - { - $this->request->disable_super_globals(); - } - - if ($password == $password_new_format) - { - if (!function_exists('utf8_to_cp1252')) - { - include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext); - } - - // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding - // plain md5 support left in for conversions from other systems. - if ((strlen($row['user_password']) == 34 && ($this->passwords_manager->check(md5($password_old_format), $row['user_password']) || $this->passwords_manager->check(md5(utf8_to_cp1252($password_old_format)), $row['user_password']))) - || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password']))) - { - $hash = $this->passwords_manager->hash($password_new_format); - - // Update the password in the users table to the new format and remove user_pass_convert flag - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_password = \'' . $this->db->sql_escape($hash) . '\', - user_pass_convert = 0 - WHERE user_id = ' . $row['user_id']; - $this->db->sql_query($sql); - - $row['user_pass_convert'] = 0; - $row['user_password'] = $hash; - } - else - { - // Although we weren't able to convert this password we have to - // increase login attempt count to make sure this cannot be exploited - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_login_attempts = user_login_attempts + 1 - WHERE user_id = ' . (int) $row['user_id'] . ' - AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; - $this->db->sql_query($sql); - - return array( - 'status' => LOGIN_ERROR_PASSWORD_CONVERT, - 'error_msg' => 'LOGIN_ERROR_PASSWORD_CONVERT', - 'user_row' => $row, - ); - } - } - } - // Check password ... - if (!$row['user_pass_convert'] && $this->passwords_manager->check($password, $row['user_password'])) + if ($this->passwords_manager->check($password, $row['user_password'])) { // Check for old password hash... if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32) @@ -244,8 +180,7 @@ class db extends \phpbb\auth\provider\base // Update the password in the users table to the new format $sql = 'UPDATE ' . USERS_TABLE . " - SET user_password = '" . $this->db->sql_escape($hash) . "', - user_pass_convert = 0 + SET user_password = '" . $this->db->sql_escape($hash) . "' WHERE user_id = {$row['user_id']}"; $this->db->sql_query($sql); |