aboutsummaryrefslogtreecommitdiffstats
path: root/phpBB/phpbb/passwords/manager.php
diff options
context:
space:
mode:
authorNils Adermann <naderman@naderman.de>2014-06-11 14:28:06 +0200
committerNils Adermann <naderman@naderman.de>2014-06-11 14:28:06 +0200
commit86b5a815abb851a9c2fc9dc93a52de3fc641c699 (patch)
tree4f3a59ec63c976f75eb3212e34832ba16fd864b7 /phpBB/phpbb/passwords/manager.php
parentee39a456647c2c7de4232b093024198f045b6ed2 (diff)
parent694f8391c9d3a948159ea2564e6bf4c606eb4053 (diff)
downloadforums-86b5a815abb851a9c2fc9dc93a52de3fc641c699.tar
forums-86b5a815abb851a9c2fc9dc93a52de3fc641c699.tar.gz
forums-86b5a815abb851a9c2fc9dc93a52de3fc641c699.tar.bz2
forums-86b5a815abb851a9c2fc9dc93a52de3fc641c699.tar.xz
forums-86b5a815abb851a9c2fc9dc93a52de3fc641c699.zip
Merge branch 'develop-ascraeus' into develop
* develop-ascraeus: (33 commits) [ticket/12352] Do not check hashes that don't have the necessary length [ticket/12352] Update file headers to fit new format [ticket/12352] Use custom provider collection for auth providers [ticket/12352] Add checks for existing user_pass_convert to migrations [ticket/12352] Remove usages of user_pass_convert column [ticket/12352] Update schema json file [ticket/12352] Remove user_pass_convert column from database [ticket/12352] Check each newly added passwords driver in manager_test [ticket/12352] Add get_settings_only method to passwords driver base [ticket/12352] Add passwords driver for xenforo 1.0, 1.1 passwords [ticket/12352] Add tests for wcf1 and wcf2 drivers [ticket/12352] Add driver for woltlab community framework 1 passwords [ticket/12352] Add driver for woltlab community framework 2 passwords [ticket/12352] Add missing $ to md5_mybb and md5_vb driver [ticket/12352] Fix spacing in passwords tests [ticket/12352] Add passwords driver for vB passwords [ticket/12352] Use correct hashing method in md5_mybb driver [ticket/12352] Add driver for myBB md5 passwords [ticket/12352] Rename phpbb2_md5 driver to fit filenames of other drivers [ticket/12352] Add passwords driver for sha1 password hashes ...
Diffstat (limited to 'phpBB/phpbb/passwords/manager.php')
-rw-r--r--phpBB/phpbb/passwords/manager.php30
1 files changed, 27 insertions, 3 deletions
diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php
index 8b16cf55dd..0a349c4a14 100644
--- a/phpBB/phpbb/passwords/manager.php
+++ b/phpBB/phpbb/passwords/manager.php
@@ -141,7 +141,7 @@ class manager
*/
if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match))
{
- return $this->get_algorithm('$H$');
+ return false;
}
// Be on the lookout for multiple hashing algorithms
@@ -224,9 +224,10 @@ class manager
*
* @param string $password Password that should be checked
* @param string $hash Stored hash
+ * @param array $user_row User's row in users table
* @return string|bool True if password is correct, false if not
*/
- public function check($password, $hash)
+ public function check($password, $hash, $user_row = array())
{
if (strlen($password) > 4096)
{
@@ -235,11 +236,19 @@ class manager
return false;
}
+ // Empty hashes can't be checked
+ if (empty($hash))
+ {
+ return false;
+ }
+
// First find out what kind of hash we're dealing with
$stored_hash_type = $this->detect_algorithm($hash);
if ($stored_hash_type == false)
{
- return false;
+ // Still check MD5 hashes as that is what the installer
+ // will default to for the admin user
+ return $this->get_algorithm('$H$')->check($password, $hash);
}
// Multiple hash passes needed
@@ -259,6 +268,21 @@ class manager
$this->convert_flag = false;
}
+ // Check all legacy hash types if prefix is $CP$
+ if ($stored_hash_type->get_prefix() === '$CP$')
+ {
+ // Remove $CP$ prefix for proper checking
+ $hash = substr($hash, 4);
+
+ foreach ($this->type_map as $algorithm)
+ {
+ if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true)
+ {
+ return true;
+ }
+ }
+ }
+
return $stored_hash_type->check($password, $hash);
}
generated by cgit v1.2.1 (git 2.21.0) at 2026-02-07 11:25:13 +0000