mirror/php-phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-02-24 12:03:21 +01:00
Code Issues Releases Wiki Activity

[ticket/12352] Introduce user row to passwords check methods

Browse Source 
This will ensure that legacy hash types that might need the user row can
properly check if the supplied password is correct.

PHPBB3-12352
This commit is contained in:
Marc Alexander 2014-05-01 14:21:24 +02:00
parent 2ea45a06e7
commit ee72e7b3ad
4 changed files with 24 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
phpBB/phpbb/passwords/driver/bcrypt.php
View File

@ -60,7 +60,7 @@ class bcrypt extends base
/** /**
* @inheritdoc * @inheritdoc
*/ */
public function check($password, $hash) public function check($password, $hash, $user_row = array())
{ {
$salt = substr($hash, 0, 29); $salt = substr($hash, 0, 29);
if (strlen($salt) != 29) if (strlen($salt) != 29)

3
phpBB/phpbb/passwords/driver/driver_interface.php
View File

@ -51,10 +51,11 @@ interface driver_interface
* *
* @param string $password The password to check * @param string $password The password to check
* @param string $hash The password hash to check against * @param string $hash The password hash to check against
* @param string $user_row User's row in users table
* *
* @return bool True if password is correct, else false * @return bool True if password is correct, else false
*/ */
public function check($password, $hash); public function check($password, $hash, $user_row = array());
/** /**
* Get only the settings of the specified hash * Get only the settings of the specified hash

2
phpBB/phpbb/passwords/driver/salted_md5.php
View File

@ -92,7 +92,7 @@ class salted_md5 extends base
/** /**
* @inheritdoc * @inheritdoc
*/ */
public function check($password, $hash) public function check($password, $hash, $user_row = array())
{ {
if (strlen($hash) !== 34) if (strlen($hash) !== 34)
{ {

22
phpBB/phpbb/passwords/manager.php
View File

@ -141,7 +141,7 @@ class manager
*/ */
if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match)) if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match))
{ {
return $this->get_algorithm('$H$'); return false;
} }
// Be on the lookout for multiple hashing algorithms // Be on the lookout for multiple hashing algorithms
@ -224,9 +224,10 @@ class manager
* *
* @param string $password Password that should be checked * @param string $password Password that should be checked
* @param string $hash Stored hash * @param string $hash Stored hash
* @param array $user_row User's row in users table
* @return string|bool True if password is correct, false if not * @return string|bool True if password is correct, false if not
*/ */
public function check($password, $hash) public function check($password, $hash, $user_row = array())
{ {
if (strlen($password) > 4096) if (strlen($password) > 4096)
{ {
@ -235,10 +236,27 @@ class manager
return false; return false;
} }
// Empty hashes can't be checked
if (empty($hash))
{
return false;
}
// First find out what kind of hash we're dealing with // First find out what kind of hash we're dealing with
$stored_hash_type = $this->detect_algorithm($hash); $stored_hash_type = $this->detect_algorithm($hash);
if ($stored_hash_type == false) if ($stored_hash_type == false)
{ {
// Might be a legacy hash type. Check all legacy
// hash types and set convert flag to true if password
// is correct
foreach ($this->type_map as $algorithm)
{
if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true)
{
$this->convert_flag = true;
return true;
}
}
return false; return false;
} }