[ticket/12352] Do not check hashes that don't have the necessary length

This should significantly reduce the time spent on checking hashes of passwords that should be converted. PHPBB3-12352
2025-02-24 12:03:21 +01:00 · 2014-06-02 10:14:26 +02:00 · 2014-06-02 10:14:26 +02:00 · ac311e1b39
commit ac311e1b39
parent 94b2b64ca1
7 changed files with 7 additions and 7 deletions
--- a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php
+++ b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php
@ -65,7 +65,7 @@ class bcrypt_wcf2 extends base
 	*/
 	public function check($password, $hash, $user_row = array())
 	{
-		if (empty($hash))
+		if (empty($hash) || strlen($hash) != 60)
 		{
 			return false;
 		}
--- a/phpBB/phpbb/passwords/driver/md5_mybb.php
+++ b/phpBB/phpbb/passwords/driver/md5_mybb.php
@ -47,7 +47,7 @@ class md5_mybb extends base
 	*/
 	public function check($password, $hash, $user_row = array())
 	{
-		if (empty($hash) || !isset($user_row['user_passwd_salt']))
+		if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt']))
 		{
 			return false;
 		}
--- a/phpBB/phpbb/passwords/driver/md5_vb.php
+++ b/phpBB/phpbb/passwords/driver/md5_vb.php
@ -47,7 +47,7 @@ class md5_vb extends base
 	*/
 	public function check($password, $hash, $user_row = array())
 	{
-		if (empty($hash) || !isset($user_row['user_passwd_salt']))
+		if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt']))
 		{
 			return false;
 		}
--- a/phpBB/phpbb/passwords/driver/sha1.php
+++ b/phpBB/phpbb/passwords/driver/sha1.php
@ -47,6 +47,6 @@ class sha1 extends base
 	*/
 	public function check($password, $hash, $user_row = array())
 	{
-		return $hash === sha1($password);
+		return (strlen($hash) == 40) ? $hash === sha1($password) : false;
 	}
 }
--- a/phpBB/phpbb/passwords/driver/sha1_smf.php
+++ b/phpBB/phpbb/passwords/driver/sha1_smf.php
@ -46,6 +46,6 @@ class sha1_smf extends base
 	*/
 	public function check($password, $hash, $user_row = array())
 	{
-		return $hash === $this->hash($password, $user_row);
+		return (strlen($hash) == 40) ? $hash === $this->hash($password, $user_row) : false;
 	}
 }
--- a/phpBB/phpbb/passwords/driver/sha1_wcf1.php
+++ b/phpBB/phpbb/passwords/driver/sha1_wcf1.php
@ -47,7 +47,7 @@ class sha1_wcf1 extends base
 	*/
 	public function check($password, $hash, $user_row = array())
 	{
-		if (empty($hash) || !isset($user_row['user_passwd_salt']))
+		if (empty($hash) || strlen($hash) != 40 || !isset($user_row['user_passwd_salt']))
 		{
 			return false;
 		}
--- a/phpBB/phpbb/passwords/driver/sha_xf1.php
+++ b/phpBB/phpbb/passwords/driver/sha_xf1.php
@ -47,7 +47,7 @@ class sha_xf1 extends base
 	*/
 	public function check($password, $hash, $user_row = array())
 	{
-		if (empty($hash) || !isset($user_row['user_passwd_salt']))
+		if (empty($hash) || (strlen($hash) != 40 && strlen($hash) != 64) || !isset($user_row['user_passwd_salt']))
 		{
 			return false;
 		}