[ticket/12352] Introduce user row to passwords check methods

This will ensure that legacy hash types that might need the user row can properly check if the supplied password is correct. PHPBB3-12352
2025-02-24 12:03:21 +01:00 · 2014-05-01 14:21:24 +02:00 · 2014-05-01 14:21:24 +02:00 · ee72e7b3ad
commit ee72e7b3ad
parent 2ea45a06e7
4 changed files with 24 additions and 5 deletions
--- a/phpBB/phpbb/passwords/driver/bcrypt.php
+++ b/phpBB/phpbb/passwords/driver/bcrypt.php
@ -60,7 +60,7 @@ class bcrypt extends base
 	/**
 	* @inheritdoc
 	*/
-	public function check($password, $hash)
+	public function check($password, $hash, $user_row = array())
 	{
 		$salt = substr($hash, 0, 29);
 		if (strlen($salt) != 29)
--- a/phpBB/phpbb/passwords/driver/driver_interface.php
+++ b/phpBB/phpbb/passwords/driver/driver_interface.php
@ -51,10 +51,11 @@ interface driver_interface
 	*
 	* @param string		$password The password to check
 	* @param string		$hash The password hash to check against
+	* @param string		$user_row User's row in users table
 	*
 	* @return bool		True if password is correct, else false
 	*/
-	public function check($password, $hash);
+	public function check($password, $hash, $user_row = array());

 	/**
 	* Get only the settings of the specified hash
--- a/phpBB/phpbb/passwords/driver/salted_md5.php
+++ b/phpBB/phpbb/passwords/driver/salted_md5.php
@ -92,7 +92,7 @@ class salted_md5 extends base
 	/**
 	* @inheritdoc
 	*/
-	public function check($password, $hash)
+	public function check($password, $hash, $user_row = array())
 	{
 		if (strlen($hash) !== 34)
 		{
--- a/phpBB/phpbb/passwords/manager.php
+++ b/phpBB/phpbb/passwords/manager.php
@ -141,7 +141,7 @@ class manager
 		*/
 		if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match))
 		{
-			return $this->get_algorithm('$H$');
+			return false;
 		}

 		// Be on the lookout for multiple hashing algorithms
@ -224,9 +224,10 @@ class manager
 	*
 	* @param string $password Password that should be checked
 	* @param string $hash Stored hash
+	* @param array	$user_row User's row in users table
 	* @return string|bool True if password is correct, false if not
 	*/
-	public function check($password, $hash)
+	public function check($password, $hash, $user_row = array())
 	{
 		if (strlen($password) > 4096)
 		{
@ -235,10 +236,27 @@ class manager
 			return false;
 		}

+		// Empty hashes can't be checked
+		if (empty($hash))
+		{
+			return false;
+		}
+
 		// First find out what kind of hash we're dealing with
 		$stored_hash_type = $this->detect_algorithm($hash);
 		if ($stored_hash_type == false)
 		{
+			// Might be a legacy hash type. Check all legacy
+			// hash types and set convert flag to true if password
+			// is correct
+			foreach ($this->type_map as $algorithm)
+			{
+				if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true)
+				{
+					$this->convert_flag = true;
+					return true;
+				}
+			}
 			return false;
 		}