1 files changed, 78 insertions, 19 deletions
diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php
index 0ac6b05ec4..b2caba81f2 100644
--- a/phpBB/phpbb/passwords/manager.php
+++ b/phpBB/phpbb/passwords/manager.php
@@ -1,17 +1,18 @@
 <?php
 /**
 *
-* @package phpBB3
-* @copyright (c) 2013 phpBB Group
-* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
 *
 */
 
 namespace phpbb\passwords;
 
-/**
-* @package passwords
-*/
 class manager
 {
 	/**
@@ -38,32 +39,58 @@ class manager
 
 	/**
 	* Passwords helper
-	* @var phpbb\passwords\helper
+	* @var \phpbb\passwords\helper
 	*/
 	protected $helper;
 
 	/**
 	* phpBB configuration
-	* @var phpbb\config\config
+	* @var \phpbb\config\config
 	*/
 	protected $config;
 
 	/**
+	 * @var bool Whether or not initialized() has been called
+	 */
+	private $initialized = false;
+
+	/**
+	 * @var array Hashing driver service collection
+	 */
+	private $hashing_algorithms;
+
+	/**
+	 * @var array List of default driver types
+	 */
+	private $defaults;
+
+	/**
 	* Construct a passwords object
 	*
-	* @param phpbb\config\config $config phpBB configuration
-	* @param array $hashing_algorithms Hashing driver
-	*			service collection
-	* @param phpbb\passwords\helper $helper Passwords helper object
-	* @param string $defaults List of default driver types
+	* @param \phpbb\config\config		$config				phpBB configuration
+	* @param array						$hashing_algorithms	Hashing driver service collection
+	* @param \phpbb\passwords\helper	$helper				Passwords helper object
+	* @param array						$defaults			List of default driver types
 	*/
 	public function __construct(\phpbb\config\config $config, $hashing_algorithms, helper $helper, $defaults)
 	{
 		$this->config = $config;
 		$this->helper = $helper;
+		$this->hashing_algorithms = $hashing_algorithms;
+		$this->defaults = $defaults;
+	}
 
-		$this->fill_type_map($hashing_algorithms);
-		$this->register_default_type($defaults);
+	/**
+	 * Initialize the internal state
+	 */
+	protected function initialize()
+	{
+		if (!$this->initialized)
+		{
+			$this->initialized = true;
+			$this->fill_type_map($this->hashing_algorithms);
+			$this->register_default_type($this->defaults);
+		}
 	}
 
 	/**
@@ -88,7 +115,7 @@ class manager
 	/**
 	* Fill algorithm type map
 	*
-	* @param phpbb\di\service_collection $hashing_algorithms
+	* @param \phpbb\di\service_collection $hashing_algorithms
 	*/
 	protected function fill_type_map($hashing_algorithms)
 	{
@@ -140,9 +167,11 @@ class manager
 		*/
 		if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match))
 		{
-			return $this->get_algorithm('$H$');
+			return false;
 		}
 
+		$this->initialize();
+
 		// Be on the lookout for multiple hashing algorithms
 		// 2 is correct: H\2a > 2, H\P > 2
 		if (strlen($match[1]) > 2)
@@ -191,6 +220,8 @@ class manager
 			return false;
 		}
 
+		$this->initialize();
+
 		// Try to retrieve algorithm by service name if type doesn't
 		// start with dollar sign
 		if (!is_array($type) && strpos($type, '$') !== 0 && isset($this->algorithms[$type]))
@@ -223,9 +254,10 @@ class manager
 	*
 	* @param string $password Password that should be checked
 	* @param string $hash Stored hash
+	* @param array	$user_row User's row in users table
 	* @return string|bool True if password is correct, false if not
 	*/
-	public function check($password, $hash)
+	public function check($password, $hash, $user_row = array())
 	{
 		if (strlen($password) > 4096)
 		{
@@ -234,11 +266,21 @@ class manager
 			return false;
 		}
 
+		// Empty hashes can't be checked
+		if (empty($hash))
+		{
+			return false;
+		}
+
+		$this->initialize();
+
 		// First find out what kind of hash we're dealing with
 		$stored_hash_type = $this->detect_algorithm($hash);
 		if ($stored_hash_type == false)
 		{
-			return false;
+			// Still check MD5 hashes as that is what the installer
+			// will default to for the admin user
+			return $this->get_algorithm('$H$')->check($password, $hash);
 		}
 
 		// Multiple hash passes needed
@@ -258,6 +300,21 @@ class manager
 			$this->convert_flag = false;
 		}
 
+		// Check all legacy hash types if prefix is $CP$
+		if ($stored_hash_type->get_prefix() === '$CP$')
+		{
+			// Remove $CP$ prefix for proper checking
+			$hash = substr($hash, 4);
+
+			foreach ($this->type_map as $algorithm)
+			{
+				if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true)
+				{
+					return true;
+				}
+			}
+		}
+
 		return $stored_hash_type->check($password, $hash);
 	}
 
@@ -272,6 +329,8 @@ class manager
 	*/
 	public function combined_hash_password($password_hash, $type)
 	{
+		$this->initialize();
+
 		$data = array(
 			'prefix' => '$',
 			'settings' => '$',