mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-07-31 22:10:45 +02:00
Code Issues Releases Wiki Activity

As proposed by marshalrusty: re-hash plain MD5s left in the database

Browse Source 
git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9312 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Henry Sudhof
2009-02-06 14:51:26 +00:00
parent f0efebefd5
commit e5f0824e4b
3 changed files with 32 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
phpBB/includes/auth/auth_db.php
View File

@@ -141,7 +141,9 @@ function login_db(&$username, &$password)
}
// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
if (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])
// plain md5 support left in for conversions from other systems.
if ((strlen($row['user_password']) == 34 && (phpbb_check_hash(md5($password_old_format), $row['user_password']) || phpbb_check_hash(md5(utf8_to_cp1252($password_old_format)), $row['user_password'])))
|| (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])))
{
$hash = phpbb_hash($password_new_format);
@@ -155,7 +157,7 @@ function login_db(&$username, &$password)
$row['user_pass_convert'] = 0;
$row['user_password'] = $hash;
}
else
else
{
// Although we weren't able to convert this password we have to
// increase login attempt count to make sure this cannot be exploited