mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-04-19 23:32:02 +02:00
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'github-marc1706/ticket/12352' into develop-ascraeus

Browse Source 
* github-marc1706/ticket/12352: (33 commits)
  [ticket/12352] Do not check hashes that don't have the necessary length
  [ticket/12352] Update file headers to fit new format
  [ticket/12352] Use custom provider collection for auth providers
  [ticket/12352] Add checks for existing user_pass_convert to migrations
  [ticket/12352] Remove usages of user_pass_convert column
  [ticket/12352] Update schema json file
  [ticket/12352] Remove user_pass_convert column from database
  [ticket/12352] Check each newly added passwords driver in manager_test
  [ticket/12352] Add get_settings_only method to passwords driver base
  [ticket/12352] Add passwords driver for xenforo 1.0, 1.1 passwords
  [ticket/12352] Add tests for wcf1 and wcf2 drivers
  [ticket/12352] Add driver for woltlab community framework 1 passwords
  [ticket/12352] Add driver for woltlab community framework 2 passwords
  [ticket/12352] Add missing $ to md5_mybb and md5_vb driver
  [ticket/12352] Fix spacing in passwords tests
  [ticket/12352] Add passwords driver for vB passwords
  [ticket/12352] Use correct hashing method in md5_mybb driver
  [ticket/12352] Add driver for myBB md5 passwords
  [ticket/12352] Rename phpbb2_md5 driver to fit filenames of other drivers
  [ticket/12352] Add passwords driver for sha1 password hashes
  ...
This commit is contained in:
Nils Adermann 2014-06-11 14:27:57 +02:00
commit 694f8391c9
35 changed files with 1335 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
phpBB/config/auth_providers.yml
View File

@ -1,8 +1,9 @@
services:
auth.provider_collection:
class: phpbb\di\service_collection
class: phpbb\auth\provider_collection
arguments:
- @service_container
- @config
tags:
- { name: service_collection, tag: auth.provider }
auth.provider.db:

66
phpBB/config/passwords.yml
View File

@ -22,6 +22,14 @@ services:
tags:
- { name: passwords.driver }
passwords.driver.bcrypt_wcf2:
class: phpbb\passwords\driver\bcrypt_wcf2
arguments:
- @passwords.driver.bcrypt
- @passwords.driver_helper
tags:
- { name: passwords.driver }
passwords.driver.salted_md5:
class: phpbb\passwords\driver\salted_md5
arguments:
@ -38,6 +46,64 @@ services:
tags:
- { name: passwords.driver }
passwords.driver.convert_password:
class: phpbb\passwords\driver\convert_password
arguments:
- @config
- @passwords.driver_helper
tags:
- { name: passwords.driver }
passwords.driver.sha1_smf:
class: phpbb\passwords\driver\sha1_smf
arguments:
- @config
- @passwords.driver_helper
tags:
- { name: passwords.driver }
passwords.driver.sha1_wcf1:
class: phpbb\passwords\driver\sha1_wcf1
arguments:
- @config
- @passwords.driver_helper
tags:
- { name: passwords.driver }
passwords.driver.sha1:
class: phpbb\passwords\driver\sha1
arguments:
- @config
- @passwords.driver_helper
tags:
- { name: passwords.driver }
passwords.driver.md5_phpbb2:
class: phpbb\passwords\driver\md5_phpbb2
arguments:
- @request
- @passwords.driver.salted_md5
- %core.root_path%
- %core.php_ext%
tags:
- { name: passwords.driver }
passwords.driver.md5_mybb:
class: phpbb\passwords\driver\md5_mybb
arguments:
- @config
- @passwords.driver_helper
tags:
- { name: passwords.driver }
passwords.driver.md5_vb:
class: phpbb\passwords\driver\md5_vb
arguments:
- @config
- @passwords.driver_helper
tags:
- { name: passwords.driver }
passwords.driver_collection:
class: phpbb\di\service_collection
arguments:

1
phpBB/includes/acp/acp_users.php
View File

@ -922,7 +922,6 @@ class acp_users
$sql_ary += array(
'user_password' => $passwords_manager->hash($data['new_password']),
'user_passchg' => time(),
'user_pass_convert' => 0,
);
$user->reset_login_keys($user_id);

3
phpBB/includes/functions.php
View File

@ -2854,7 +2854,8 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
$s_hidden_fields['credential'] = $credential;
}
$auth_provider = $phpbb_container->get('auth.provider.' . $config['auth_method']);
$provider_collection = $phpbb_container->get('auth.provider_collection');
$auth_provider = $provider_collection->get_provider();
$auth_provider_data = $auth_provider->get_login_data();
if ($auth_provider_data)

1
phpBB/includes/functions_user.php
View File

@ -184,7 +184,6 @@ function user_add($user_row, $cp_data = false)
'username' => $user_row['username'],
'username_clean' => $username_clean,
'user_password' => (isset($user_row['user_password'])) ? $user_row['user_password'] : '',
'user_pass_convert' => 0,
'user_email' => strtolower($user_row['user_email']),
'user_email_hash' => phpbb_email_hash($user_row['user_email']),
'group_id' => $user_row['group_id'],

1
phpBB/includes/ucp/ucp_activate.php
View File

@ -78,7 +78,6 @@ class ucp_activate
'user_actkey' => '',
'user_password' => $user_row['user_newpasswd'],
'user_newpasswd' => '',
'user_pass_convert' => 0,
'user_login_attempts' => 0,
);

4
phpBB/install/schemas/schema.json
View File

@ -3023,10 +3023,6 @@
"TIMESTAMP",
0
],
"user_pass_convert": [
"BOOL",
0
],
"user_email": [
"VCHAR_UNI:100",
""

71
phpBB/phpbb/auth/provider/db.php
View File

@ -78,7 +78,7 @@ class db extends \phpbb\auth\provider\base
$username_clean = utf8_clean_string($username);
$sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
$sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type, user_login_attempts
FROM ' . USERS_TABLE . "
WHERE username_clean = '" . $this->db->sql_escape($username_clean) . "'";
$result = $this->db->sql_query($sql);
@ -170,72 +170,8 @@ class db extends \phpbb\auth\provider\base
}
// If the password convert flag is set we need to convert it
if ($row['user_pass_convert'])
{
// enable super globals to get literal value
// this is needed to prevent unicode normalization
$super_globals_disabled = $this->request->super_globals_disabled();
if ($super_globals_disabled)
{
$this->request->enable_super_globals();
}
// in phpBB2 passwords were used exactly as they were sent, with addslashes applied
$password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
$password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
$password_new_format = $this->request->variable('password', '', true);
if ($super_globals_disabled)
{
$this->request->disable_super_globals();
}
if ($password == $password_new_format)
{
if (!function_exists('utf8_to_cp1252'))
{
include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext);
}
// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
// plain md5 support left in for conversions from other systems.
if ((strlen($row['user_password']) == 34 && ($this->passwords_manager->check(md5($password_old_format), $row['user_password']) || $this->passwords_manager->check(md5(utf8_to_cp1252($password_old_format)), $row['user_password'])))
|| (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])))
{
$hash = $this->passwords_manager->hash($password_new_format);
// Update the password in the users table to the new format and remove user_pass_convert flag
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_password = \'' . $this->db->sql_escape($hash) . '\',
user_pass_convert = 0
WHERE user_id = ' . $row['user_id'];
$this->db->sql_query($sql);
$row['user_pass_convert'] = 0;
$row['user_password'] = $hash;
}
else
{
// Although we weren't able to convert this password we have to
// increase login attempt count to make sure this cannot be exploited
$sql = 'UPDATE ' . USERS_TABLE . '
SET user_login_attempts = user_login_attempts + 1
WHERE user_id = ' . (int) $row['user_id'] . '
AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX;
$this->db->sql_query($sql);
return array(
'status' => LOGIN_ERROR_PASSWORD_CONVERT,
'error_msg' => 'LOGIN_ERROR_PASSWORD_CONVERT',
'user_row' => $row,
);
}
}
}
// Check password ...
if (!$row['user_pass_convert'] && $this->passwords_manager->check($password, $row['user_password']))
if ($this->passwords_manager->check($password, $row['user_password']))
{
// Check for old password hash...
if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32)
@ -244,8 +180,7 @@ class db extends \phpbb\auth\provider\base
// Update the password in the users table to the new format
$sql = 'UPDATE ' . USERS_TABLE . "
SET user_password = '" . $this->db->sql_escape($hash) . "',
user_pass_convert = 0
SET user_password = '" . $this->db->sql_escape($hash) . "'
WHERE user_id = {$row['user_id']}";
$this->db->sql_query($sql);

2
phpBB/phpbb/auth/provider/oauth/oauth.php
View File

@ -215,7 +215,7 @@ class oauth extends \phpbb\auth\provider\base
}
// Retrieve the user's account
$sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
$sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type, user_login_attempts
FROM ' . $this->users_table . '
WHERE user_id = ' . (int) $row['user_id'];
$result = $this->db->sql_query($sql);

65
phpBB/phpbb/auth/provider_collection.php Normal file
View File

@ -0,0 +1,65 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\auth;
use Symfony\Component\DependencyInjection\ContainerInterface;
/**
* Collection of auth providers to be configured at container compile time.
*/
class provider_collection extends \phpbb\di\service_collection
{
/** @var \phpbb\config\config phpBB Config */
protected $config;
/**
* Constructor
*
* @param ContainerInterface $container Container object
* @param \phpbb\config\config $config phpBB config
*/
public function __construct($container, \phpbb\config\config $config)
{
$this->container = $container;
$this->config = $config;
}
/**
* Get an auth provider.
*
* @return object Default auth provider selected in config if it
* does exist. Otherwise the standard db auth
* provider.
* @throws \RuntimeException If neither the auth provider that
* is specified by the phpBB config nor the db
* auth provider exist. The db auth provider
* should always exist in a phpBB installation.
*/
public function get_provider()
{
if ($this->offsetExists('auth.provider.' . basename(trim($this->config['auth_method']))))
{
return $this->offsetGet('auth.provider.' . basename(trim($this->config['auth_method'])));
}
// Revert to db auth provider if selected method does not exist
elseif ($this->offsetExists('auth.provider.db'))
{
return $this->offsetGet('auth.provider.db');
}
else
{
throw new \RuntimeException(sprintf('The authentication provider for the authentication method "%1$s" does not exist. It was not possible to recover from this by reverting to the database authentication provider.', $this->config['auth_method']));
}
}
}

85
phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php Normal file
View File

@ -0,0 +1,85 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\db\migration\data\v310;
class passwords_convert_p1 extends \phpbb\db\migration\migration
{
static public function depends_on()
{
return array('\phpbb\db\migration\data\v310\passwords_p2');
}
public function update_data()
{
return array(
array('custom', array(array($this, 'update_passwords'))),
);
}
public function update_passwords($start)
{
// Nothing to do if user_pass_convert column doesn't exist
if (!$this->db_tools->sql_column_exists($this->table_prefix . 'users', 'user_pass_convert'))
{
return;
}
$start = (int) $start;
$limit = 1000;
$converted_users = 0;
$sql = 'SELECT user_password, user_id
FROM ' . $this->table_prefix . 'users
WHERE user_pass_convert = 1
GROUP BY user_id
ORDER BY user_id';
$result = $this->db->sql_query_limit($sql, $limit, $start);
$update_users = array();
while ($row = $this->db->sql_fetchrow($result))
{
$converted_users++;
$user_id = (int) $row['user_id'];
// Only prefix passwords without proper prefix
if (!isset($update_users[$user_id]) && !preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $row['user_password']))
{
// Use $CP$ prefix for passwords that need to
// be converted and set pass convert to false.
$update_users[$user_id] = array(
'user_password' => '$CP$' . $row['user_password'],
'user_pass_convert' => 0,
);
}
}
$this->db->sql_freeresult($result);
foreach ($update_users as $user_id => $user_data)
{
$sql = 'UPDATE ' . $this->table_prefix . 'users
SET ' . $this->db->sql_build_array('UPDATE', $user_data) . '
WHERE user_id = ' . $user_id;
$this->sql_query($sql);
}
if ($converted_users < $limit)
{
// There are no more users to be converted
return;
}
// There are still more users to query, return the next start value
return $start + $limit;
}
}

49
phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php Normal file
View File

@ -0,0 +1,49 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\db\migration\data\v310;
class passwords_convert_p2 extends \phpbb\db\migration\migration
{
public function effectively_installed()
{
return !$this->db_tools->sql_column_exists($this->table_prefix . 'users', 'user_pass_convert');
}
static public function depends_on()
{
return array('\phpbb\db\migration\data\v310\passwords_convert_p1');
}
public function update_schema()
{
return array(
'drop_columns' => array(
$this->table_prefix . 'users' => array(
'user_pass_convert',
),
),
);
}
public function revert_schema()
{
return array(
'add_columns' => array(
$this->table_prefix . 'users' => array(
'user_pass_convert' => array('BOOL', 0, 'after' => 'user_passchg'),
),
),
);
}
}

16
phpBB/phpbb/passwords/driver/base.php
View File

@ -43,4 +43,20 @@ abstract class base implements driver_interface
{
return true;
}
/**
* @inheritdoc
*/
public function is_legacy()
{
return false;
}
/**
* @inheritdoc
*/
public function get_settings_only($hash, $full = false)
{
return false;
}
}

2
phpBB/phpbb/passwords/driver/bcrypt.php
View File

@ -60,7 +60,7 @@ class bcrypt extends base
/**
* @inheritdoc
*/
public function check($password, $hash)
public function check($password, $hash, $user_row = array())
{
$salt = substr($hash, 0, 29);
if (strlen($salt) != 29)

84
phpBB/phpbb/passwords/driver/bcrypt_wcf2.php Normal file
View File

@ -0,0 +1,84 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\passwords\driver;
class bcrypt_wcf2 extends base
{
const PREFIX = '$wcf2$';
/** @var \phpbb\passwords\driver\bcrypt */
protected $bcrypt;
/** @var phpbb\passwords\driver\helper */
protected $helper;
/**
* Constructor of passwords driver object
*
* @param \phpbb\passwords\driver\bcrypt $bcrypt Salted md5 driver
* @param \phpbb\passwords\driver\helper $helper Password driver helper
*/
public function __construct(\phpbb\passwords\driver\bcrypt $bcrypt, helper $helper)
{
$this->bcrypt = $bcrypt;
$this->helper = $helper;
}
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function is_legacy()
{
return true;
}
/**
* @inheritdoc
*/
public function hash($password, $user_row = '')
{
// Do not support hashing
return false;
}
/**
* @inheritdoc
*/
public function check($password, $hash, $user_row = array())
{
if (empty($hash) || strlen($hash) != 60)
{
return false;
}
else
{
$salt = substr($hash, 0, 29);
if (strlen($salt) != 29)
{
return false;
}
// Works for standard WCF 2.x, i.e. WBB4 and similar
return $hash === $this->bcrypt->hash($this->bcrypt->hash($password, $salt), $salt);
}
}
}

43
phpBB/phpbb/passwords/driver/convert_password.php Normal file
View File

@ -0,0 +1,43 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\passwords\driver;
class convert_password extends base
{
const PREFIX = '$CP$';
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function hash($password, $user_row = '')
{
return false;
}
/**
* @inheritdoc
*/
public function check($password, $hash, $user_row = array())
{
return false;
}
}

10
phpBB/phpbb/passwords/driver/driver_interface.php
View File

@ -22,6 +22,13 @@ interface driver_interface
*/
public function is_supported();
/**
* Check if hash type is a legacy hash type
*
* @return bool True if it's a legacy hash type, false if not
*/
public function is_legacy();
/**
* Returns the hash prefix
*
@ -44,10 +51,11 @@ interface driver_interface
*
* @param string $password The password to check
* @param string $hash The password hash to check against
* @param string $user_row User's row in users table
*
* @return bool True if password is correct, else false
*/
public function check($password, $hash);
public function check($password, $hash, $user_row = array());
/**
* Get only the settings of the specified hash

60
phpBB/phpbb/passwords/driver/md5_mybb.php Normal file
View File

@ -0,0 +1,60 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\passwords\driver;
class md5_mybb extends base
{
const PREFIX = '$md5_mybb$';
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function is_legacy()
{
return true;
}
/**
* @inheritdoc
*/
public function hash($password, $user_row = '')
{
// Do not support hashing
return false;
}
/**
* @inheritdoc
*/
public function check($password, $hash, $user_row = array())
{
if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt']))
{
return false;
}
else
{
// Works for myBB 1.1.x, 1.2.x, 1.4.x, 1.6.x
return $hash === md5(md5($user_row['user_passwd_salt']) . md5($password));
}
}
}

118
phpBB/phpbb/passwords/driver/md5_phpbb2.php Normal file
View File

@ -0,0 +1,118 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\passwords\driver;
class md5_phpbb2 extends base
{
const PREFIX = '$md5_phpbb2$';
/** @var \phpbb\request\request phpBB request object */
protected $request;
/** @var \phpbb\passwords\driver\salted_md5 */
protected $salted_md5;
/** @var phpBB root path */
protected $phpbb_root_path;
/** @var php file extension */
protected $php_ext;
/**
* Constructor of passwords driver object
*
* @param \phpbb\request\request $request phpBB request object
* @param \phpbb\passwords\driver\salted_md5 $salted_md5 Salted md5 driver
* @param string $phpbb_root_path phpBB root path
* @param string $php_ext PHP file extension
*/
public function __construct($request, \phpbb\passwords\driver\salted_md5 $salted_md5, $phpbb_root_path, $php_ext)
{
$this->request = $request;
$this->salted_md5 = $salted_md5;
$this->phpbb_root_path = $phpbb_root_path;
$this->php_ext = $php_ext;
}
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function is_legacy()
{
return true;
}
/**
* @inheritdoc
*/
public function hash($password, $user_row = '')
{
// Do not support hashing
return false;
}
/**
* @inheritdoc
*/
public function check($password, $hash, $user_row = array())
{
if (strlen($hash) != 32 && strlen($hash) != 34)
{
return false;
}
// enable super globals to get literal value
// this is needed to prevent unicode normalization
$super_globals_disabled = $this->request->super_globals_disabled();
if ($super_globals_disabled)
{
$this->request->enable_super_globals();
}
// in phpBB2 passwords were used exactly as they were sent, with addslashes applied
$password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : '';
$password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format;
$password_new_format = $this->request->variable('password', '', true);
if ($super_globals_disabled)
{
$this->request->disable_super_globals();
}
if ($password == $password_new_format)
{
if (!function_exists('utf8_to_cp1252'))
{
include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext);
}
if (md5($password_old_format) === $hash || md5(\utf8_to_cp1252($password_old_format)) === $hash
|| $this->salted_md5->check(md5($password_old_format), $hash) === true
|| $this->salted_md5->check(md5(\utf8_to_cp1252($password_old_format)), $hash) === true)
{
return true;
}
}
return false;
}
}

60
phpBB/phpbb/passwords/driver/md5_vb.php Normal file
View File

@ -0,0 +1,60 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\passwords\driver;
class md5_vb extends base
{
const PREFIX = '$md5_vb$';
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function is_legacy()
{
return true;
}
/**
* @inheritdoc
*/
public function hash($password, $user_row = '')
{
// Do not support hashing
return false;
}
/**
* @inheritdoc
*/
public function check($password, $hash, $user_row = array())
{
if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt']))
{
return false;
}
else
{
// Works for vB 3.8.x, 4.x.x, 5.0.x
return $hash === md5(md5($password) . $user_row['user_passwd_salt']);
}
}
}

10
phpBB/phpbb/passwords/driver/salted_md5.php
View File

@ -53,6 +53,14 @@ class salted_md5 extends base
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function is_legacy()
{
return true;
}
/**
* @inheritdoc
*/
@ -92,7 +100,7 @@ class salted_md5 extends base
/**
* @inheritdoc
*/
public function check($password, $hash)
public function check($password, $hash, $user_row = array())
{
if (strlen($hash) !== 34)
{

52
phpBB/phpbb/passwords/driver/sha1.php Normal file
View File

@ -0,0 +1,52 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\passwords\driver;
class sha1 extends base
{
const PREFIX = '$sha1$';
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function is_legacy()
{
return true;
}
/**
* @inheritdoc
*/
public function hash($password, $user_row = '')
{
// Do not support hashing
return false;
}
/**
* @inheritdoc
*/
public function check($password, $hash, $user_row = array())
{
return (strlen($hash) == 40) ? $hash === sha1($password) : false;
}
}

51
phpBB/phpbb/passwords/driver/sha1_smf.php Normal file
View File

@ -0,0 +1,51 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\passwords\driver;
class sha1_smf extends base
{
const PREFIX = '$smf$';
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function is_legacy()
{
return true;
}
/**
* @inheritdoc
*/
public function hash($password, $user_row = '')
{
return (isset($user_row['login_name'])) ? sha1(strtolower($user_row['login_name']) . $password) : false;
}
/**
* @inheritdoc
*/
public function check($password, $hash, $user_row = array())
{
return (strlen($hash) == 40) ? $hash === $this->hash($password, $user_row) : false;
}
}

60
phpBB/phpbb/passwords/driver/sha1_wcf1.php Normal file
View File

@ -0,0 +1,60 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\passwords\driver;
class sha1_wcf1 extends base
{
const PREFIX = '$wcf1$';
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function is_legacy()
{
return true;
}
/**
* @inheritdoc
*/
public function hash($password, $user_row = '')
{
// Do not support hashing
return false;
}
/**
* @inheritdoc
*/
public function check($password, $hash, $user_row = array())
{
if (empty($hash) || strlen($hash) != 40 || !isset($user_row['user_passwd_salt']))
{
return false;
}
else
{
// Works for standard WCF 1.x, i.e. WBB3 and similar
return $hash === sha1($user_row['user_passwd_salt'] . sha1($user_row['user_passwd_salt'] . sha1($password)));
}
}
}

68
phpBB/phpbb/passwords/driver/sha_xf1.php Normal file
View File

@ -0,0 +1,68 @@
<?php
/**
*
* This file is part of the phpBB Forum Software package.
*
* @copyright (c) phpBB Limited <https://www.phpbb.com>
* @license GNU General Public License, version 2 (GPL-2.0)
*
* For full copyright and license information, please see
* the docs/CREDITS.txt file.
*
*/
namespace phpbb\passwords\driver;
class sha_xf1 extends base
{
const PREFIX = '$xf1$';
/**
* @inheritdoc
*/
public function get_prefix()
{
return self::PREFIX;
}
/**
* @inheritdoc
*/
public function is_legacy()
{
return true;
}
/**
* @inheritdoc
*/
public function hash($password, $user_row = '')
{
// Do not support hashing
return false;
}
/**
* @inheritdoc
*/
public function check($password, $hash, $user_row = array())
{
if (empty($hash) || (strlen($hash) != 40 && strlen($hash) != 64) || !isset($user_row['user_passwd_salt']))
{
return false;
}
else
{
// Works for xenforo 1.0, 1.1
if ($hash === sha1(sha1($password) . $user_row['user_passwd_salt'])
|| $hash === hash('sha256', hash('sha256', $password) . $user_row['user_passwd_salt']))
{
return true;
}
else
{
return false;
}
}
}
}

30
phpBB/phpbb/passwords/manager.php
View File

@ -141,7 +141,7 @@ class manager
*/
if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match))
{
return $this->get_algorithm('$H$');
return false;
}
// Be on the lookout for multiple hashing algorithms
@ -224,9 +224,10 @@ class manager
*
* @param string $password Password that should be checked
* @param string $hash Stored hash
* @param array $user_row User's row in users table
* @return string|bool True if password is correct, false if not
*/
public function check($password, $hash)
public function check($password, $hash, $user_row = array())
{
if (strlen($password) > 4096)
{
@ -235,11 +236,19 @@ class manager
return false;
}
// Empty hashes can't be checked
if (empty($hash))
{
return false;
}
// First find out what kind of hash we're dealing with
$stored_hash_type = $this->detect_algorithm($hash);
if ($stored_hash_type == false)
{
return false;
// Still check MD5 hashes as that is what the installer
// will default to for the admin user
return $this->get_algorithm('$H$')->check($password, $hash);
}
// Multiple hash passes needed
@ -259,6 +268,21 @@ class manager
$this->convert_flag = false;
}
// Check all legacy hash types if prefix is $CP$
if ($stored_hash_type->get_prefix() === '$CP$')
{
// Remove $CP$ prefix for proper checking
$hash = substr($hash, 4);
foreach ($this->type_map as $algorithm)
{
if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true)
{
return true;
}
}
}
return $stored_hash_type->check($password, $hash);
}

15
phpBB/phpbb/session.php
View File

@ -408,9 +408,8 @@ class session
$session_expired = false;
// Check whether the session is still valid if we have one
$method = basename(trim($config['auth_method']));
$provider = $phpbb_container->get('auth.provider.' . $method);
$provider_collection = $phpbb_container->get('auth.provider_collection');
$provider = $provider_collection->get_provider();
if (!($provider instanceof \phpbb\auth\provider\provider_interface))
{
@ -577,9 +576,8 @@ class session
}
}
$method = basename(trim($config['auth_method']));
$provider = $phpbb_container->get('auth.provider.' . $method);
$provider_collection = $phpbb_container->get('auth.provider_collection');
$provider = $provider_collection->get_provider();
$this->data = $provider->autologin();
if (sizeof($this->data))
@ -898,9 +896,8 @@ class session
$db->sql_query($sql);
// Allow connecting logout with external auth method logout
$method = basename(trim($config['auth_method']));
$provider = $phpbb_container->get('auth.provider.' . $method);
$provider_collection = $phpbb_container->get('auth.provider_collection');
$provider = $provider_collection->get_provider();
$provider->logout($this->data, $new_session);
if ($this->data['user_id'] != ANONYMOUS)

3
tests/auth/fixtures/user.xml
View File

@ -6,7 +6,6 @@
<column>username_clean</column>
<column>user_password</column>
<column>user_passchg</column>
<column>user_pass_convert</column>
<column>user_email</column>
<column>user_type</column>
<column>user_login_attempts</column>
@ -18,7 +17,6 @@
<value>foobar</value>
<value>$2y$10$4RmpyVu2y8Yf/lP3.yQBquKvE54TCUuEDEBJYY6FDDFN3LcbCGz9i</value>
<value>0</value>
<value>0</value>
<value>example@example.com</value>
<value>0</value>
<value>0</value>
@ -31,7 +29,6 @@
<value>foobar2</value>
<value>$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/</value>
<value>0</value>
<value>0</value>
<value>example@example.com</value>
<value>0</value>
<value>0</value>

3
tests/auth/fixtures/user_533.xml
View File

@ -6,7 +6,6 @@
<column>username_clean</column>
<column>user_password</column>
<column>user_passchg</column>
<column>user_pass_convert</column>
<column>user_email</column>
<column>user_type</column>
<column>user_login_attempts</column>
@ -18,7 +17,6 @@
<value>foobar</value>
<value>$2a$10$e01Syh9PbJjUkio66eFuUu4FhCE2nRgG7QPc1JACalsPXcIuG2bbi</value>
<value>0</value>
<value>0</value>
<value>example@example.com</value>
<value>0</value>
<value>0</value>
@ -31,7 +29,6 @@
<value>foobar2</value>
<value>$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/</value>
<value>0</value>
<value>0</value>
<value>example@example.com</value>
<value>0</value>
<value>0</value>

1
tests/auth/provider_apache_test.php
View File

@ -148,7 +148,6 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case
'username_clean' => 'foobar',
'user_password' => $this->password_hash,
'user_passchg' => '0',
'user_pass_convert' => '0',
'user_email' => 'example@example.com',
'user_email_hash' => '0',
'user_birthday' => '',

1
tests/auth/provider_db_test.php
View File

@ -70,7 +70,6 @@ class phpbb_auth_provider_db_test extends phpbb_database_test_case
'username' => 'foobar',
'user_password' => $password_hash,
'user_passchg' => '0',
'user_pass_convert' => '0',
'user_email' => 'example@example.com',
'user_type' => '0',
'user_login_attempts' => '0',

19
tests/mock/request.php
View File

@ -15,6 +15,8 @@ class phpbb_mock_request implements \phpbb\request\request_interface
{
protected $data;
protected $super_globals_disabled = false;
public function __construct($get = array(), $post = array(), $cookie = array(), $server = array(), $request = false, $files = array())
{
$this->data[\phpbb\request\request_interface::GET] = $get;
@ -23,6 +25,8 @@ class phpbb_mock_request implements \phpbb\request\request_interface
$this->data[\phpbb\request\request_interface::REQUEST] = ($request === false) ? $post + $get : $request;
$this->data[\phpbb\request\request_interface::SERVER] = $server;
$this->data[\phpbb\request\request_interface::FILES] = $files;
$this->disable_super_globals();
}
public function overwrite($var_name, $value, $super_global = \phpbb\request\request_interface::REQUEST)
@ -83,6 +87,21 @@ class phpbb_mock_request implements \phpbb\request\request_interface
return $this->data[$super_global];
}
public function super_globals_disabled()
{
return $this->super_globals_disabled;
}
public function disable_super_globals()
{
$this->super_globals_disabled = true;
}
public function enable_super_globals()
{
$this->super_globals_disabled = false;
}
/* custom methods */
public function set_header($header_name, $value)

335
tests/passwords/drivers_test.php
View File

@ -17,14 +17,26 @@ class phpbb_passwords_helper_test extends \phpbb_test_case
{
// Prepare dependencies for drivers
$config = new \phpbb\config\config(array());
$request = new phpbb_mock_request(array(), array(), array(), array(), array('password' => 'fööbar'));
$this->driver_helper = new \phpbb\passwords\driver\helper($config);
$phpbb_root_path = dirname(__FILE__) . '/../../phpBB/';
$php_ext = 'php';
$this->passwords_drivers = array(
'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper),
'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper),
'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper),
'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper),
'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper),
'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper),
'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper),
'passwords.driver.sha1_wcf1' => new \phpbb\passwords\driver\sha1_wcf1($config, $this->driver_helper),
'passwords.driver.convert_password'=> new \phpbb\passwords\driver\convert_password($config, $this->driver_helper),
'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper),
'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper),
'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper),
'passwords.driver.sha_xf1' => new \phpbb\passwords\driver\sha_xf1($config, $this->driver_helper),
);
$this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext);
$this->passwords_drivers['passwords.driver.bcrypt_wcf2'] = new \phpbb\passwords\driver\bcrypt_wcf2($this->passwords_drivers['passwords.driver.bcrypt'], $this->driver_helper);
}
public function data_helper_encode64()
@ -82,4 +94,323 @@ class phpbb_passwords_helper_test extends \phpbb_test_case
);
$this->assertEquals(false, $this->passwords_drivers['passwords.driver.salted_md5']->get_hash_settings(false));
}
public function data_hash_sha1_smf()
{
return array(
array(false, 'test', array()),
array(false, 'test', ''),
array('6f9e2a1899e1f15708fd2e554103480eb53e8b57', 'foobar', array('login_name' => 'test')),
);
}
/**
* @dataProvider data_hash_sha1_smf
*/
public function test_hash_sha1_smf($expected, $password, $user_row)
{
$this->assertSame($expected, $this->passwords_drivers['passwords.driver.sha1_smf']->hash($password, $user_row));
}
public function data_get_settings()
{
return array(
array(false, '6f9e2a1899e1f15708fd2e554103480eb53e8b57', 'passwords.driver.sha1_smf'),
);
}
/**
* @dataProvider data_get_settings
*/
public function test_get_settings_only($expected, $hash, $driver)
{
$this->assertSame($expected, $this->passwords_drivers[$driver]->get_settings_only($hash));
}
public function data_md5_phpbb2_check()
{
return array(
array(false, 'foobar', 'ae2fc75e20ee25d4520766788fbc96ae'),
array(false, 'foobar', 'ae2fc75e20ee25d4520766788fbc96aeddsf'),
array(false, 'fööbar', 'ae2fc75e20ee25d4520766788fbc96ae'),
array(true, 'fööbar', 'ae2fc75e20ee25d4520766788fbc96ae', utf8_decode('fööbar')),
array(true, 'fööbar', '$H$966CepJh9RC3hFIm7aKywR6jEn0kpA0', utf8_decode('fööbar')),
array(true, 'fööbar', '$H$9rNjgwETtmc8befO8JL1xFMrrMw8MC.', $this->utf8_to_cp1252(utf8_decode('fööbar'))),
array(true, 'fööbar', '$H$9rNjgwETtmc8befO8JL1xFMrrMw8MC.', $this->utf8_to_cp1252('fööbar')),
);
}
/**
* @dataProvider data_md5_phpbb2_check
*/
public function test_md5_phpbb2_check($expected, $password, $hash, $request_password = false)
{
if (!$request_password)
{
unset($_REQUEST['password']);
}
else
{
$_REQUEST['password'] = $request_password;
}
$this->assertSame($expected, $this->passwords_drivers['passwords.driver.md5_phpbb2']->check($password, $hash));
}
public function test_md5_phpbb2_hash()
{
$this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_phpbb2']->hash('foobar'));
}
public function test_convert_password_driver()
{
$this->assertSame(false, $this->passwords_drivers['passwords.driver.convert_password']->hash('foobar'));
}
public function test_sha1_driver()
{
$this->assertSame(false, $this->passwords_drivers['passwords.driver.sha1']->hash('foobar'));
}
public function data_md5_mybb_check()
{
return array(
array(false, 'foobar', '083d11daea8675b1b4b502c7e55f8dbd'),
array(false, 'foobar', '083d11daea8675b1b4b502c7e55f8dbd', array('user_passwd_salt' => 'ae2fc75e')),
array(true, 'foobar', 'b86ee7e24008bfd2890dcfab1ed31333', array('user_passwd_salt' => 'yeOtfFO6')),
);
}
/**
* @dataProvider data_md5_mybb_check
*/
public function test_md5_mybb_check($expected, $password, $hash, $user_row = array())
{
$this->assertSame($expected, $this->passwords_drivers['passwords.driver.md5_mybb']->check($password, $hash, $user_row));
}
public function test_md5_mybb_driver()
{
$this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_mybb']->hash('foobar'));
}
public function data_md5_vb_check()
{
return array(
array(false, 'foobar', '083d11daea8675b1b4b502c7e55f8dbd'),
array(false, 'foobar', 'b86ee7e24008bfd2890dcfab1ed31333', array('user_passwd_salt' => 'yeOtfFO6')),
array(true, 'foobar', 'b452c54c44c588fc095d2d000935c470', array('user_passwd_salt' => '9^F')),
array(true, 'foobar', 'f23a8241bd115d270c703213e3ef7f52', array('user_passwd_salt' => 'iaU*U%`CBl;/e~>D%do2m@Xf/,KZB0')),
array(false, 'nope', 'f23a8241bd115d270c703213e3ef7f52', array('user_passwd_salt' => 'iaU*U%`CBl;/e~>D%do2m@Xf/,KZB0')),
);
}
/**
* @dataProvider data_md5_vb_check
*/
public function test_md5_vb_check($expected, $password, $hash, $user_row = array())
{
$this->assertSame($expected, $this->passwords_drivers['passwords.driver.md5_vb']->check($password, $hash, $user_row));
}
public function test_md5_vb_driver()
{
$this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_vb']->hash('foobar'));
}
public function data_sha1_wcf1_check()
{
return array(
array(false, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff'),
array(false, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff', array('user_passwd_salt' => 'yeOtfFO6')),
array(true, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff', array('user_passwd_salt' => '1a783e478d63f6422783a868db667aed3a857840')),
);
}
/**
* @dataProvider data_sha1_wcf1_check
*/
public function test_sha1_wcf1_check($expected, $password, $hash, $user_row = array())
{
$this->assertSame($expected, $this->passwords_drivers['passwords.driver.sha1_wcf1']->check($password, $hash, $user_row));
}
public function test_sha1_wcf1_driver()
{
$this->assertSame(false, $this->passwords_drivers['passwords.driver.sha1_wcf1']->hash('foobar'));
}
public function data_bcrypt_wcf2_check()
{
return array(
array(false, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff'),
array(true, 'foobar', '$2a$08$p8h14U0jsEiVb1Luy.s8oOTXSQ0hVWUXpcNGBoCezeYNXrQyCKHfi'),
array(false, 'foobar', ''),
);
}
/**
* @dataProvider data_bcrypt_wcf2_check
*/
public function test_bcrypt_wcf2_check($expected, $password, $hash)
{
$this->assertSame($expected, $this->passwords_drivers['passwords.driver.bcrypt_wcf2']->check($password, $hash));
}
public function test_bcrypt_wcf2_driver()
{
$this->assertSame(false, $this->passwords_drivers['passwords.driver.bcrypt_wcf2']->hash('foobar'));
}
public function data_sha_xf1_check()
{
return array(
array(false, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff'),
array(false, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff', array('user_passwd_salt' => 'yeOtfFO6')),
array(true, 'foobar', '7f65d2fa8a826d232f8134772252f8b1aaef8594b1edcabd9ab65e5b0f236ff0', array('user_passwd_salt' => '15b6c02cedbd727f563dcca607a89b085287b448966f19c0cc78cae263b1e38c')),
array(true, 'foobar', '69962ae2079420573a3948cc4dedbabd35680051', array('user_passwd_salt' => '15b6c02cedbd727f563dcca607a89b085287b448966f19c0cc78cae263b1e38c')),
);
}
/**
* @dataProvider data_sha_xf1_check
*/
public function test_sha_xf1_check($expected, $password, $hash, $user_row = array())
{
$this->assertSame($expected, $this->passwords_drivers['passwords.driver.sha_xf1']->check($password, $hash, $user_row));
}
public function test_sha_xf1_driver()
{
$this->assertSame(false, $this->passwords_drivers['passwords.driver.sha_xf1']->hash('foobar'));
}
protected function utf8_to_cp1252($string)
{
static $transform = array(
"\xE2\x82\xAC" => "\x80",
"\xE2\x80\x9A" => "\x82",
"\xC6\x92" => "\x83",
"\xE2\x80\x9E" => "\x84",
"\xE2\x80\xA6" => "\x85",
"\xE2\x80\xA0" => "\x86",
"\xE2\x80\xA1" => "\x87",
"\xCB\x86" => "\x88",
"\xE2\x80\xB0" => "\x89",
"\xC5\xA0" => "\x8A",
"\xE2\x80\xB9" => "\x8B",
"\xC5\x92" => "\x8C",
"\xC5\xBD" => "\x8E",
"\xE2\x80\x98" => "\x91",
"\xE2\x80\x99" => "\x92",
"\xE2\x80\x9C" => "\x93",
"\xE2\x80\x9D" => "\x94",
"\xE2\x80\xA2" => "\x95",
"\xE2\x80\x93" => "\x96",
"\xE2\x80\x94" => "\x97",
"\xCB\x9C" => "\x98",
"\xE2\x84\xA2" => "\x99",
"\xC5\xA1" => "\x9A",
"\xE2\x80\xBA" => "\x9B",
"\xC5\x93" => "\x9C",
"\xC5\xBE" => "\x9E",
"\xC5\xB8" => "\x9F",
"\xC2\xA0" => "\xA0",
"\xC2\xA1" => "\xA1",
"\xC2\xA2" => "\xA2",
"\xC2\xA3" => "\xA3",
"\xC2\xA4" => "\xA4",
"\xC2\xA5" => "\xA5",
"\xC2\xA6" => "\xA6",
"\xC2\xA7" => "\xA7",
"\xC2\xA8" => "\xA8",
"\xC2\xA9" => "\xA9",
"\xC2\xAA" => "\xAA",
"\xC2\xAB" => "\xAB",
"\xC2\xAC" => "\xAC",
"\xC2\xAD" => "\xAD",
"\xC2\xAE" => "\xAE",
"\xC2\xAF" => "\xAF",
"\xC2\xB0" => "\xB0",
"\xC2\xB1" => "\xB1",
"\xC2\xB2" => "\xB2",
"\xC2\xB3" => "\xB3",
"\xC2\xB4" => "\xB4",
"\xC2\xB5" => "\xB5",
"\xC2\xB6" => "\xB6",
"\xC2\xB7" => "\xB7",
"\xC2\xB8" => "\xB8",
"\xC2\xB9" => "\xB9",
"\xC2\xBA" => "\xBA",
"\xC2\xBB" => "\xBB",
"\xC2\xBC" => "\xBC",
"\xC2\xBD" => "\xBD",
"\xC2\xBE" => "\xBE",
"\xC2\xBF" => "\xBF",
"\xC3\x80" => "\xC0",
"\xC3\x81" => "\xC1",
"\xC3\x82" => "\xC2",
"\xC3\x83" => "\xC3",
"\xC3\x84" => "\xC4",
"\xC3\x85" => "\xC5",
"\xC3\x86" => "\xC6",
"\xC3\x87" => "\xC7",
"\xC3\x88" => "\xC8",
"\xC3\x89" => "\xC9",
"\xC3\x8A" => "\xCA",
"\xC3\x8B" => "\xCB",
"\xC3\x8C" => "\xCC",
"\xC3\x8D" => "\xCD",
"\xC3\x8E" => "\xCE",
"\xC3\x8F" => "\xCF",
"\xC3\x90" => "\xD0",
"\xC3\x91" => "\xD1",
"\xC3\x92" => "\xD2",
"\xC3\x93" => "\xD3",
"\xC3\x94" => "\xD4",
"\xC3\x95" => "\xD5",
"\xC3\x96" => "\xD6",
"\xC3\x97" => "\xD7",
"\xC3\x98" => "\xD8",
"\xC3\x99" => "\xD9",
"\xC3\x9A" => "\xDA",
"\xC3\x9B" => "\xDB",
"\xC3\x9C" => "\xDC",
"\xC3\x9D" => "\xDD",
"\xC3\x9E" => "\xDE",
"\xC3\x9F" => "\xDF",
"\xC3\xA0" => "\xE0",
"\xC3\xA1" => "\xE1",
"\xC3\xA2" => "\xE2",
"\xC3\xA3" => "\xE3",
"\xC3\xA4" => "\xE4",
"\xC3\xA5" => "\xE5",
"\xC3\xA6" => "\xE6",
"\xC3\xA7" => "\xE7",
"\xC3\xA8" => "\xE8",
"\xC3\xA9" => "\xE9",
"\xC3\xAA" => "\xEA",
"\xC3\xAB" => "\xEB",
"\xC3\xAC" => "\xEC",
"\xC3\xAD" => "\xED",
"\xC3\xAE" => "\xEE",
"\xC3\xAF" => "\xEF",
"\xC3\xB0" => "\xF0",
"\xC3\xB1" => "\xF1",
"\xC3\xB2" => "\xF2",
"\xC3\xB3" => "\xF3",
"\xC3\xB4" => "\xF4",
"\xC3\xB5" => "\xF5",
"\xC3\xB6" => "\xF6",
"\xC3\xB7" => "\xF7",
"\xC3\xB8" => "\xF8",
"\xC3\xB9" => "\xF9",
"\xC3\xBA" => "\xFA",
"\xC3\xBB" => "\xFB",
"\xC3\xBC" => "\xFC",
"\xC3\xBD" => "\xFD",
"\xC3\xBE" => "\xFE",
"\xC3\xBF" => "\xFF"
);
return strtr($string, $transform);
}
}

50
tests/passwords/manager_test.php
View File

@ -24,13 +24,25 @@ class phpbb_passwords_manager_test extends \phpbb_test_case
// Prepare dependencies for manager and driver
$config = new \phpbb\config\config(array());
$this->driver_helper = new \phpbb\passwords\driver\helper($config);
$request = new phpbb_mock_request(array(), array(), array(), array(), array('password' => 'töst'));
$phpbb_root_path = dirname(__FILE__) . '/../../phpBB/';
$php_ext = 'php';
$this->passwords_drivers = array(
'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper),
'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper),
'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper),
'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper),
'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper),
'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper),
'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper),
'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper),
'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper),
'passwords.driver.sha1_wcf1' => new \phpbb\passwords\driver\sha1_wcf1($config, $this->driver_helper),
'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper),
'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper),
'passwords.driver.sha_xf1' => new \phpbb\passwords\driver\sha_xf1($config, $this->driver_helper),
);
$this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext);
$this->passwords_drivers['passwords.driver.bcrypt_wcf2'] = new \phpbb\passwords\driver\bcrypt_wcf2($this->passwords_drivers['passwords.driver.bcrypt'], $this->driver_helper);
$this->helper = new \phpbb\passwords\helper;
// Set up passwords manager
@ -132,21 +144,39 @@ class phpbb_passwords_manager_test extends \phpbb_test_case
public function check_hash_exceptions_data()
{
return array(
array('foobar', '3858f62230ac3c915f300c664312c63f', true),
array('foobar', '$S$b57a939fa4f2c04413a4eea9734a0903647b7adb93181295', false),
array('foobar', '$2a\S$kkkkaakdkdiej39023903204j2k3490234jk234j02349', false),
array('foobar', '$H$kklk938d023k//k3023', false),
array('foobar', '$H$3PtYMgXb39lrIWkgoxYLWtRkZtY3AY/', false),
array('foobar', '$2a$kwiweorurlaeirw', false),
array('3858f62230ac3c915f300c664312c63f', true),
array('$CP$3858f62230ac3c915f300c664312c63f', true), // md5_phpbb2
array('$CP$3858f62230ac3c915f300c', false),
array('$S$b57a939fa4f2c04413a4eea9734a0903647b7adb93181295', false),
array('$2a\S$kkkkaakdkdiej39023903204j2k3490234jk234j02349', false),
array('$H$kklk938d023k//k3023', false),
array('$H$3PtYMgXb39lrIWkgoxYLWtRkZtY3AY/', false),
array('$2a$kwiweorurlaeirw', false),
array('6f9e2a1899e1f15708fd2e554103480eb53e8b57', false),
array('6f9e2a1899e1f15708fd2e554103480eb53e8b57', false, 'foobar', array('login_name' => 'test')),
array('$CP$6f9e2a1899e1f15708fd2e554103480eb53e8b57', true, 'foobar', array('login_name' => 'test')), // sha1_smf
array('6f9e2a1899', false, 'foobar', array('login_name' => 'test')),
array('ae2fc75e20ee25d4520766788fbc96ae', false, 'fööbar'),
array('$CP$ae2fc75e20ee25d4520766788fbc96ae', false, 'fööbar'),
array('$CP$ae2fc75e20ee25d4520766788fbc96ae', true, utf8_decode('fööbar')), // md5_phpbb2
array('b86ee7e24008bfd2890dcfab1ed31333', false, 'foobar', array('user_passwd_salt' => 'yeOtfFO6')),
array('$CP$b86ee7e24008bfd2890dcfab1ed31333', true, 'foobar', array('user_passwd_salt' => 'yeOtfFO6')), // md5_mybb
array('$CP$b452c54c44c588fc095d2d000935c470', true, 'foobar', array('user_passwd_salt' => '9^F')), // md5_vb
array('$CP$f23a8241bd115d270c703213e3ef7f52', true, 'foobar', array('user_passwd_salt' => 'iaU*U%`CBl;/e~>D%do2m@Xf/,KZB0')), // md5_vb
array('$CP$fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff', true, 'foobar', array('user_passwd_salt' => '1a783e478d63f6422783a868db667aed3a857840')), // sha_wcf1
array('$2a$08$p8h14U0jsEiVb1Luy.s8oOTXSQ0hVWUXpcNGBoCezeYNXrQyCKHfi', false),
array('$CP$$2a$08$p8h14U0jsEiVb1Luy.s8oOTXSQ0hVWUXpcNGBoCezeYNXrQyCKHfi', true), // bcrypt_wcf2
array('$CP$7f65d2fa8a826d232f8134772252f8b1aaef8594b1edcabd9ab65e5b0f236ff0', true, 'foobar', array('user_passwd_salt' => '15b6c02cedbd727f563dcca607a89b085287b448966f19c0cc78cae263b1e38c')), // sha_xf1
array('$CP$69962ae2079420573a3948cc4dedbabd35680051', true, 'foobar', array('user_passwd_salt' => '15b6c02cedbd727f563dcca607a89b085287b448966f19c0cc78cae263b1e38c')), // sha_xf1
);
}
/**
* @dataProvider check_hash_exceptions_data
*/
public function test_check_hash_exceptions($password, $hash, $expected)
public function test_check_hash_exceptions($hash, $expected, $password = 'foobar', $user_row = array())
{
$this->assertEquals($expected, $this->manager->check($password, $hash));
$this->assertEquals($expected, $this->manager->check($password, $hash, $user_row));
}
public function data_hash_password_length()

6
tests/session/testable_factory.php
View File

@ -96,6 +96,12 @@ class phpbb_session_testable_factory
'auth.provider.db',
new phpbb_mock_auth_provider()
);
$provider_collection = new \phpbb\auth\provider_collection($phpbb_container, $config);
$provider_collection->add('auth.provider.db');
$phpbb_container->set(
'auth.provider_collection',
$provider_collection
);
$session = new phpbb_mock_session_testable;
return $session;