From ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 1 May 2014 14:21:24 +0200 Subject: [ticket/12352] Introduce user row to passwords check methods This will ensure that legacy hash types that might need the user row can properly check if the supplied password is correct. PHPBB3-12352 --- phpBB/phpbb/passwords/manager.php | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 8b16cf55dd..66ca335d45 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -141,7 +141,7 @@ class manager */ if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match)) { - return $this->get_algorithm('$H$'); + return false; } // Be on the lookout for multiple hashing algorithms @@ -224,9 +224,10 @@ class manager * * @param string $password Password that should be checked * @param string $hash Stored hash + * @param array $user_row User's row in users table * @return string|bool True if password is correct, false if not */ - public function check($password, $hash) + public function check($password, $hash, $user_row = array()) { if (strlen($password) > 4096) { @@ -235,10 +236,27 @@ class manager return false; } + // Empty hashes can't be checked + if (empty($hash)) + { + return false; + } + // First find out what kind of hash we're dealing with $stored_hash_type = $this->detect_algorithm($hash); if ($stored_hash_type == false) { + // Might be a legacy hash type. Check all legacy + // hash types and set convert flag to true if password + // is correct + foreach ($this->type_map as $algorithm) + { + if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) + { + $this->convert_flag = true; + return true; + } + } return false; } -- cgit v1.2.1 From 2a96b9e285bfadee830fd57e770a210d72cd7610 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 11 May 2014 22:25:44 +0200 Subject: [ticket/12352] Use $CP$ prefix for converting passwords in manager PHPBB3-12352 --- phpBB/phpbb/passwords/manager.php | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 66ca335d45..7d46424e4d 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -246,18 +246,9 @@ class manager $stored_hash_type = $this->detect_algorithm($hash); if ($stored_hash_type == false) { - // Might be a legacy hash type. Check all legacy - // hash types and set convert flag to true if password - // is correct - foreach ($this->type_map as $algorithm) - { - if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) - { - $this->convert_flag = true; - return true; - } - } - return false; + // Still check MD5 hashes as that is what the installer + // will default to for the admin user + return $this->get_algorithm('$H$')->check($password, $hash); } // Multiple hash passes needed @@ -277,6 +268,21 @@ class manager $this->convert_flag = false; } + if ($stored_hash_type->get_prefix() === '$CP$') + { + // Check all legacy hash types for this hash. Remove + // $CP$ prefix from beginning for proper checking. + $hash = substr($hash, 4); + + foreach ($this->type_map as $algorithm) + { + if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) + { + return true; + } + } + } + return $stored_hash_type->check($password, $hash); } -- cgit v1.2.1 From 60cb648ab0bd3cba627f9f1c020ace613e18f3d5 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 26 May 2014 13:26:46 +0200 Subject: [ticket/12352] Remove code for converting passwords in db auth provider PHPBB3-12352 --- phpBB/phpbb/passwords/manager.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'phpBB/phpbb/passwords/manager.php') diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 7d46424e4d..0a349c4a14 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -268,10 +268,10 @@ class manager $this->convert_flag = false; } + // Check all legacy hash types if prefix is $CP$ if ($stored_hash_type->get_prefix() === '$CP$') { - // Check all legacy hash types for this hash. Remove - // $CP$ prefix from beginning for proper checking. + // Remove $CP$ prefix for proper checking $hash = substr($hash, 4); foreach ($this->type_map as $algorithm) -- cgit v1.2.1