makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 14:18:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

[feature/passwords] Do not hash passwords longer than 4096 bytes

Browse source 
PHPBB3-11610
This commit is contained in:
Marc Alexander 2013-10-01 17:38:52 +02:00
parent 3ebff0a960
commit 61e4c0f251
1 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
phpBB/phpbb/passwords/manager.php
View file

@ -191,6 +191,13 @@ class manager
*/ */
public function hash_password($password, $type = '') public function hash_password($password, $type = '')
{ {
if (strlen($password) > 4096)
{
// If the password is too huge, we will simply reject it
// and not let the server try to hash it.
return false;
}
$type = ($type === '') ? $this->type : $type; $type = ($type === '') ? $this->type : $type;
if (is_array($type)) if (is_array($type))
@ -230,6 +237,13 @@ class manager
*/ */
public function check_hash($password, $hash) public function check_hash($password, $hash)
{ {
if (strlen($password) > 4096)
{
// If the password is too huge, we will simply reject it
// and not let the server try to hash it.
return false;
}
// First find out what kind of hash we're dealing with // First find out what kind of hash we're dealing with
$stored_hash_type = $this->detect_algorithm($hash); $stored_hash_type = $this->detect_algorithm($hash);
if ($stored_hash_type == false) if ($stored_hash_type == false)