From 2ea45a06e724dfe9c3248fbb659d86558b55265e Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 24 Apr 2014 21:00:33 +0200 Subject: [PATCH 01/33] [ticket/12352] Add legacy passwords driver for sha1 smf type passwords PHPBB3-12352 --- phpBB/config/passwords.yml | 8 +++ phpBB/phpbb/passwords/driver/base.php | 8 +++ .../passwords/driver/driver_interface.php | 7 +++ phpBB/phpbb/passwords/driver/sha1_smf.php | 58 +++++++++++++++++++ tests/passwords/drivers_test.php | 33 +++++++++++ tests/passwords/manager_test.php | 1 + 6 files changed, 115 insertions(+) create mode 100644 phpBB/phpbb/passwords/driver/sha1_smf.php diff --git a/phpBB/config/passwords.yml b/phpBB/config/passwords.yml index 9e249a2c12..29986a85f2 100644 --- a/phpBB/config/passwords.yml +++ b/phpBB/config/passwords.yml @@ -38,6 +38,14 @@ services: tags: - { name: passwords.driver } + passwords.driver.sha1_smf: + class: phpbb\passwords\driver\sha1_smf + arguments: + - @config + - @passwords.driver_helper + tags: + - { name: passwords.driver } + passwords.driver_collection: class: phpbb\di\service_collection arguments: diff --git a/phpBB/phpbb/passwords/driver/base.php b/phpBB/phpbb/passwords/driver/base.php index fffc9d1461..b74c2d3d72 100644 --- a/phpBB/phpbb/passwords/driver/base.php +++ b/phpBB/phpbb/passwords/driver/base.php @@ -43,4 +43,12 @@ abstract class base implements driver_interface { return true; } + + /** + * @inheritdoc + */ + public function is_legacy() + { + return false; + } } diff --git a/phpBB/phpbb/passwords/driver/driver_interface.php b/phpBB/phpbb/passwords/driver/driver_interface.php index 54c9d6500e..d38681b75f 100644 --- a/phpBB/phpbb/passwords/driver/driver_interface.php +++ b/phpBB/phpbb/passwords/driver/driver_interface.php @@ -22,6 +22,13 @@ interface driver_interface */ public function is_supported(); + /** + * Check if hash type is a legacy hash type + * + * @return bool True if it's a legacy hash type, false if not + */ + public function is_legacy(); + /** * Returns the hash prefix * diff --git a/phpBB/phpbb/passwords/driver/sha1_smf.php b/phpBB/phpbb/passwords/driver/sha1_smf.php new file mode 100644 index 0000000000..f7f5587485 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/sha1_smf.php @@ -0,0 +1,58 @@ +hash($password, $user_row); + } + + /** + * @inheritdoc + */ + public function get_settings_only($hash, $full = false) + { + return false; + } +} diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php index c2104b0858..5e2518cdea 100644 --- a/tests/passwords/drivers_test.php +++ b/tests/passwords/drivers_test.php @@ -24,6 +24,7 @@ class phpbb_passwords_helper_test extends \phpbb_test_case 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper), 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), + 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), ); } @@ -82,4 +83,36 @@ class phpbb_passwords_helper_test extends \phpbb_test_case ); $this->assertEquals(false, $this->passwords_drivers['passwords.driver.salted_md5']->get_hash_settings(false)); } + + public function data_hash_sha1_smf() + { + return array( + array(false, 'test', array()), + array(false, 'test', ''), + array('6f9e2a1899e1f15708fd2e554103480eb53e8b57', 'foobar', array('login_name' => 'test')), + ); + } + + /** + * @dataProvider data_hash_sha1_smf + */ + public function test_hash_sha1_smf($expected, $password, $user_row) + { + $this->assertSame($expected, $this->passwords_drivers['passwords.driver.sha1_smf']->hash($password, $user_row)); + } + + public function data_get_settings() + { + return array( + array(false, '6f9e2a1899e1f15708fd2e554103480eb53e8b57', 'passwords.driver.sha1_smf'), + ); + } + + /** + * @dataProvider data_get_settings + */ + public function test_get_settings_only($expected, $hash, $driver) + { + $this->assertSame($expected, $this->passwords_drivers[$driver]->get_settings_only($hash)); + } } diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index f9244d59f2..83ae233e3c 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -30,6 +30,7 @@ class phpbb_passwords_manager_test extends \phpbb_test_case 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper), 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), + 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), ); $this->helper = new \phpbb\passwords\helper; From ee72e7b3ad31d60fa1189c6d852f2134ab37f7f2 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 1 May 2014 14:21:24 +0200 Subject: [PATCH 02/33] [ticket/12352] Introduce user row to passwords check methods This will ensure that legacy hash types that might need the user row can properly check if the supplied password is correct. PHPBB3-12352 --- phpBB/phpbb/passwords/driver/bcrypt.php | 2 +- .../passwords/driver/driver_interface.php | 3 ++- phpBB/phpbb/passwords/driver/salted_md5.php | 2 +- phpBB/phpbb/passwords/manager.php | 22 +++++++++++++++++-- 4 files changed, 24 insertions(+), 5 deletions(-) diff --git a/phpBB/phpbb/passwords/driver/bcrypt.php b/phpBB/phpbb/passwords/driver/bcrypt.php index 3edf7255c0..de5840c7cf 100644 --- a/phpBB/phpbb/passwords/driver/bcrypt.php +++ b/phpBB/phpbb/passwords/driver/bcrypt.php @@ -60,7 +60,7 @@ class bcrypt extends base /** * @inheritdoc */ - public function check($password, $hash) + public function check($password, $hash, $user_row = array()) { $salt = substr($hash, 0, 29); if (strlen($salt) != 29) diff --git a/phpBB/phpbb/passwords/driver/driver_interface.php b/phpBB/phpbb/passwords/driver/driver_interface.php index d38681b75f..a257e71f23 100644 --- a/phpBB/phpbb/passwords/driver/driver_interface.php +++ b/phpBB/phpbb/passwords/driver/driver_interface.php @@ -51,10 +51,11 @@ interface driver_interface * * @param string $password The password to check * @param string $hash The password hash to check against + * @param string $user_row User's row in users table * * @return bool True if password is correct, else false */ - public function check($password, $hash); + public function check($password, $hash, $user_row = array()); /** * Get only the settings of the specified hash diff --git a/phpBB/phpbb/passwords/driver/salted_md5.php b/phpBB/phpbb/passwords/driver/salted_md5.php index a9f6712751..22e2557518 100644 --- a/phpBB/phpbb/passwords/driver/salted_md5.php +++ b/phpBB/phpbb/passwords/driver/salted_md5.php @@ -92,7 +92,7 @@ class salted_md5 extends base /** * @inheritdoc */ - public function check($password, $hash) + public function check($password, $hash, $user_row = array()) { if (strlen($hash) !== 34) { diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 8b16cf55dd..66ca335d45 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -141,7 +141,7 @@ class manager */ if (!preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $hash, $match)) { - return $this->get_algorithm('$H$'); + return false; } // Be on the lookout for multiple hashing algorithms @@ -224,9 +224,10 @@ class manager * * @param string $password Password that should be checked * @param string $hash Stored hash + * @param array $user_row User's row in users table * @return string|bool True if password is correct, false if not */ - public function check($password, $hash) + public function check($password, $hash, $user_row = array()) { if (strlen($password) > 4096) { @@ -235,10 +236,27 @@ class manager return false; } + // Empty hashes can't be checked + if (empty($hash)) + { + return false; + } + // First find out what kind of hash we're dealing with $stored_hash_type = $this->detect_algorithm($hash); if ($stored_hash_type == false) { + // Might be a legacy hash type. Check all legacy + // hash types and set convert flag to true if password + // is correct + foreach ($this->type_map as $algorithm) + { + if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) + { + $this->convert_flag = true; + return true; + } + } return false; } From 68f59defb041a719519547fdd34f25258a60a38e Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 1 May 2014 14:22:59 +0200 Subject: [PATCH 03/33] [ticket/12352] Mark salted md5 and phpass passwords driver as legacy PHPBB3-12352 --- phpBB/phpbb/passwords/driver/salted_md5.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/phpBB/phpbb/passwords/driver/salted_md5.php b/phpBB/phpbb/passwords/driver/salted_md5.php index 22e2557518..b5f59754e1 100644 --- a/phpBB/phpbb/passwords/driver/salted_md5.php +++ b/phpBB/phpbb/passwords/driver/salted_md5.php @@ -53,6 +53,14 @@ class salted_md5 extends base return self::PREFIX; } + /** + * @inheritdoc + */ + public function is_legacy() + { + return true; + } + /** * @inheritdoc */ From ed1d4fe4a03c55bbc997f11afa11a87b4fe78c4d Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 1 May 2014 14:23:39 +0200 Subject: [PATCH 04/33] [ticket/12352] Revert to db auth provider if default does not exist This will make sure that we will not encounter a non-existing auth provider. We will revert to the default db auth provider if the one set in the config does not exist in our auth provider collection. PHPBB3-12352 --- phpBB/includes/functions.php | 11 ++++++++++- phpBB/phpbb/auth/provider/db.php | 3 ++- phpBB/phpbb/session.php | 18 ++++++++++++++++-- tests/session/testable_factory.php | 4 ++++ 4 files changed, 32 insertions(+), 4 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index c423e29d9d..31a6246d34 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2854,7 +2854,16 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa $s_hidden_fields['credential'] = $credential; } - $auth_provider = $phpbb_container->get('auth.provider.' . $config['auth_method']); + $provider_collection = $phpbb_container->get('auth.provider_collection'); + $auth_method = $config['auth_method']; + + // Revert to db auth provider if selected method does not exist + if (!isset($provider_collection['auth.provider.' . $config['auth_method']])) + { + $auth_method = 'db'; + } + + $auth_provider = $provider_collection['auth.provider.' . $auth_method]; $auth_provider_data = $auth_provider->get_login_data(); if ($auth_provider_data) diff --git a/phpBB/phpbb/auth/provider/db.php b/phpBB/phpbb/auth/provider/db.php index 3be1d3873f..d5a6b0452a 100644 --- a/phpBB/phpbb/auth/provider/db.php +++ b/phpBB/phpbb/auth/provider/db.php @@ -201,7 +201,8 @@ class db extends \phpbb\auth\provider\base // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding // plain md5 support left in for conversions from other systems. if ((strlen($row['user_password']) == 34 && ($this->passwords_manager->check(md5($password_old_format), $row['user_password']) || $this->passwords_manager->check(md5(utf8_to_cp1252($password_old_format)), $row['user_password']))) - || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password']))) + || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])) + || ($this->passwords_manager->check($password_old_format, $row['user_password']) || $this->passwords_manager->check($password_new_format, $row['user_password']))) { $hash = $this->passwords_manager->hash($password_new_format); diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index d286dc9cfc..c663977882 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -410,7 +410,14 @@ class session // Check whether the session is still valid if we have one $method = basename(trim($config['auth_method'])); - $provider = $phpbb_container->get('auth.provider.' . $method); + $provider_collection = $phpbb_container->get('auth.provider_collection'); + + // Revert to db auth provider if selected method does not exist + if (!isset($provider_collection['auth.provider.' . $method])) + { + $method = 'db'; + } + $provider = $provider_collection['auth.provider.' . $method]; if (!($provider instanceof \phpbb\auth\provider\provider_interface)) { @@ -579,7 +586,14 @@ class session $method = basename(trim($config['auth_method'])); - $provider = $phpbb_container->get('auth.provider.' . $method); + $provider_collection = $phpbb_container->get('auth.provider_collection'); + + // Revert to db auth provider if selected method does not exist + if (!isset($provider_collection['auth.provider.' . $method])) + { + $method = 'db'; + } + $provider = $provider_collection['auth.provider.' . $method]; $this->data = $provider->autologin(); if (sizeof($this->data)) diff --git a/tests/session/testable_factory.php b/tests/session/testable_factory.php index 81724cf661..4bd7fa1366 100644 --- a/tests/session/testable_factory.php +++ b/tests/session/testable_factory.php @@ -96,6 +96,10 @@ class phpbb_session_testable_factory 'auth.provider.db', new phpbb_mock_auth_provider() ); + $phpbb_container->set( + 'auth.provider_collection', + array('auth.provider.db' => $phpbb_container->get('auth.provider.db')) + ); $session = new phpbb_mock_session_testable; return $session; From 57e4fb38106a3ece446b8713693f89c8745538dc Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 1 May 2014 14:25:16 +0200 Subject: [PATCH 05/33] [ticket/12352] Add tests for checking smf passwords PHPBB3-12352 --- tests/passwords/manager_test.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index 83ae233e3c..c2fda170a1 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -139,15 +139,18 @@ class phpbb_passwords_manager_test extends \phpbb_test_case array('foobar', '$H$kklk938d023k//k3023', false), array('foobar', '$H$3PtYMgXb39lrIWkgoxYLWtRkZtY3AY/', false), array('foobar', '$2a$kwiweorurlaeirw', false), + array('foobar', '6f9e2a1899e1f15708fd2e554103480eb53e8b57', false), + array('foobar', '6f9e2a1899e1f15708fd2e554103480eb53e8b57', true, array('login_name' => 'test')), + array('foobar', '6f9e2a1899', false, array('login_name' => 'test')), ); } /** * @dataProvider check_hash_exceptions_data */ - public function test_check_hash_exceptions($password, $hash, $expected) + public function test_check_hash_exceptions($password, $hash, $expected, $user_row = array()) { - $this->assertEquals($expected, $this->manager->check($password, $hash)); + $this->assertEquals($expected, $this->manager->check($password, $hash, $user_row)); } public function data_hash_password_length() From 1e758ba7f01fb07c2f497d755837bdce9bd57f18 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 11 May 2014 22:23:23 +0200 Subject: [PATCH 06/33] [ticket/12352] Add passwords driver for passwords that should be converted This driver will only be used for getting the new $CP$ prefix that will signal that the hash is a legacy hash that needs to be converted. PHPBB3-12352 --- phpBB/config/passwords.yml | 8 +++ .../passwords/driver/convert_password.php | 50 +++++++++++++++++++ tests/passwords/manager_test.php | 6 ++- 3 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 phpBB/phpbb/passwords/driver/convert_password.php diff --git a/phpBB/config/passwords.yml b/phpBB/config/passwords.yml index 29986a85f2..4f4a4621ee 100644 --- a/phpBB/config/passwords.yml +++ b/phpBB/config/passwords.yml @@ -38,6 +38,14 @@ services: tags: - { name: passwords.driver } + passwords.driver.convert_password: + class: phpbb\passwords\driver\convert_password + arguments: + - @config + - @passwords.driver_helper + tags: + - { name: passwords.driver } + passwords.driver.sha1_smf: class: phpbb\passwords\driver\sha1_smf arguments: diff --git a/phpBB/phpbb/passwords/driver/convert_password.php b/phpBB/phpbb/passwords/driver/convert_password.php new file mode 100644 index 0000000000..354c6b9ff3 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/convert_password.php @@ -0,0 +1,50 @@ + new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper), 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), + 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), ); @@ -134,13 +135,16 @@ class phpbb_passwords_manager_test extends \phpbb_test_case { return array( array('foobar', '3858f62230ac3c915f300c664312c63f', true), + array('foobar', '$CP$3858f62230ac3c915f300c664312c63f', true), + array('foobar', '$CP$3858f62230ac3c915f300c', false), array('foobar', '$S$b57a939fa4f2c04413a4eea9734a0903647b7adb93181295', false), array('foobar', '$2a\S$kkkkaakdkdiej39023903204j2k3490234jk234j02349', false), array('foobar', '$H$kklk938d023k//k3023', false), array('foobar', '$H$3PtYMgXb39lrIWkgoxYLWtRkZtY3AY/', false), array('foobar', '$2a$kwiweorurlaeirw', false), array('foobar', '6f9e2a1899e1f15708fd2e554103480eb53e8b57', false), - array('foobar', '6f9e2a1899e1f15708fd2e554103480eb53e8b57', true, array('login_name' => 'test')), + array('foobar', '6f9e2a1899e1f15708fd2e554103480eb53e8b57', false, array('login_name' => 'test')), + array('foobar', '$CP$6f9e2a1899e1f15708fd2e554103480eb53e8b57', true, array('login_name' => 'test')), array('foobar', '6f9e2a1899', false, array('login_name' => 'test')), ); } From 2a96b9e285bfadee830fd57e770a210d72cd7610 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 11 May 2014 22:25:44 +0200 Subject: [PATCH 07/33] [ticket/12352] Use $CP$ prefix for converting passwords in manager PHPBB3-12352 --- phpBB/phpbb/passwords/manager.php | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 66ca335d45..7d46424e4d 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -246,18 +246,9 @@ class manager $stored_hash_type = $this->detect_algorithm($hash); if ($stored_hash_type == false) { - // Might be a legacy hash type. Check all legacy - // hash types and set convert flag to true if password - // is correct - foreach ($this->type_map as $algorithm) - { - if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) - { - $this->convert_flag = true; - return true; - } - } - return false; + // Still check MD5 hashes as that is what the installer + // will default to for the admin user + return $this->get_algorithm('$H$')->check($password, $hash); } // Multiple hash passes needed @@ -277,6 +268,21 @@ class manager $this->convert_flag = false; } + if ($stored_hash_type->get_prefix() === '$CP$') + { + // Check all legacy hash types for this hash. Remove + // $CP$ prefix from beginning for proper checking. + $hash = substr($hash, 4); + + foreach ($this->type_map as $algorithm) + { + if ($algorithm->is_legacy() && $algorithm->check($password, $hash, $user_row) === true) + { + return true; + } + } + } + return $stored_hash_type->check($password, $hash); } From f78b99dce4057dcb9125af940cb3ca369b2cce48 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 11 May 2014 22:26:17 +0200 Subject: [PATCH 08/33] [ticket/12352] Add $CP$ prefix to passwords that need to be converted Also set user_pass_convert to 0 in the process of doing so. PHPBB3-12352 --- .../data/v310/passwords_convert_p1.php | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php diff --git a/phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php new file mode 100644 index 0000000000..24af20cf5c --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php @@ -0,0 +1,75 @@ +table_prefix . 'users + WHERE user_pass_convert = 1 + GROUP BY user_id + ORDER BY user_id'; + $result = $this->db->sql_query_limit($sql, $limit, $start); + + $update_users = array(); + while ($row = $this->db->sql_fetchrow($result)) + { + $converted_users++; + + $user_id = (int) $row['user_id']; + // Only prefix passwords without proper prefix + if (!isset($update_users[$user_id]) && !preg_match('#^\$([a-zA-Z0-9\\\]*?)\$#', $row['user_password'])) + { + // Use $CP$ prefix for passwords that need to + // be converted and set pass convert to false. + $update_users[$user_id] = array( + 'user_password' => '$CP$' . $row['user_password'], + 'user_pass_convert' => 0, + ); + } + } + $this->db->sql_freeresult($result); + + foreach ($update_users as $user_id => $user_data) + { + $sql = 'UPDATE ' . $this->table_prefix . 'users + SET ' . $this->db->sql_build_array('UPDATE', $user_data) . ' + WHERE user_id = ' . $user_id; + $this->sql_query($sql); + } + + if ($converted_users < $limit) + { + // There are no more users to be converted + return; + } + + // There are still more users to query, return the next start value + return $start + $limit; + } +} From 60cb648ab0bd3cba627f9f1c020ace613e18f3d5 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 26 May 2014 13:26:46 +0200 Subject: [PATCH 09/33] [ticket/12352] Remove code for converting passwords in db auth provider PHPBB3-12352 --- phpBB/phpbb/auth/provider/db.php | 67 +------------------------------ phpBB/phpbb/passwords/manager.php | 4 +- 2 files changed, 3 insertions(+), 68 deletions(-) diff --git a/phpBB/phpbb/auth/provider/db.php b/phpBB/phpbb/auth/provider/db.php index d5a6b0452a..7307a697ae 100644 --- a/phpBB/phpbb/auth/provider/db.php +++ b/phpBB/phpbb/auth/provider/db.php @@ -170,73 +170,8 @@ class db extends \phpbb\auth\provider\base } - // If the password convert flag is set we need to convert it - if ($row['user_pass_convert']) - { - // enable super globals to get literal value - // this is needed to prevent unicode normalization - $super_globals_disabled = $this->request->super_globals_disabled(); - if ($super_globals_disabled) - { - $this->request->enable_super_globals(); - } - - // in phpBB2 passwords were used exactly as they were sent, with addslashes applied - $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : ''; - $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; - $password_new_format = $this->request->variable('password', '', true); - - if ($super_globals_disabled) - { - $this->request->disable_super_globals(); - } - - if ($password == $password_new_format) - { - if (!function_exists('utf8_to_cp1252')) - { - include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext); - } - - // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding - // plain md5 support left in for conversions from other systems. - if ((strlen($row['user_password']) == 34 && ($this->passwords_manager->check(md5($password_old_format), $row['user_password']) || $this->passwords_manager->check(md5(utf8_to_cp1252($password_old_format)), $row['user_password']))) - || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])) - || ($this->passwords_manager->check($password_old_format, $row['user_password']) || $this->passwords_manager->check($password_new_format, $row['user_password']))) - { - $hash = $this->passwords_manager->hash($password_new_format); - - // Update the password in the users table to the new format and remove user_pass_convert flag - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_password = \'' . $this->db->sql_escape($hash) . '\', - user_pass_convert = 0 - WHERE user_id = ' . $row['user_id']; - $this->db->sql_query($sql); - - $row['user_pass_convert'] = 0; - $row['user_password'] = $hash; - } - else - { - // Although we weren't able to convert this password we have to - // increase login attempt count to make sure this cannot be exploited - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_login_attempts = user_login_attempts + 1 - WHERE user_id = ' . (int) $row['user_id'] . ' - AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; - $this->db->sql_query($sql); - - return array( - 'status' => LOGIN_ERROR_PASSWORD_CONVERT, - 'error_msg' => 'LOGIN_ERROR_PASSWORD_CONVERT', - 'user_row' => $row, - ); - } - } - } - // Check password ... - if (!$row['user_pass_convert'] && $this->passwords_manager->check($password, $row['user_password'])) + if ($this->passwords_manager->check($password, $row['user_password'])) { // Check for old password hash... if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32) diff --git a/phpBB/phpbb/passwords/manager.php b/phpBB/phpbb/passwords/manager.php index 7d46424e4d..0a349c4a14 100644 --- a/phpBB/phpbb/passwords/manager.php +++ b/phpBB/phpbb/passwords/manager.php @@ -268,10 +268,10 @@ class manager $this->convert_flag = false; } + // Check all legacy hash types if prefix is $CP$ if ($stored_hash_type->get_prefix() === '$CP$') { - // Check all legacy hash types for this hash. Remove - // $CP$ prefix from beginning for proper checking. + // Remove $CP$ prefix for proper checking $hash = substr($hash, 4); foreach ($this->type_map as $algorithm) From 5a243af879b42f1323d716f75c981bcfb42b2afe Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 27 May 2014 18:12:33 +0200 Subject: [PATCH 10/33] [ticket/12352] Add driver for phpBB2 hashes with md5 length of 32 PHPBB3-12352 --- phpBB/config/passwords.yml | 9 ++ phpBB/phpbb/passwords/driver/phpbb2_md5.php | 118 ++++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 phpBB/phpbb/passwords/driver/phpbb2_md5.php diff --git a/phpBB/config/passwords.yml b/phpBB/config/passwords.yml index 4f4a4621ee..8e4c27d324 100644 --- a/phpBB/config/passwords.yml +++ b/phpBB/config/passwords.yml @@ -54,6 +54,15 @@ services: tags: - { name: passwords.driver } + passwords.driver.phpbb2_md5: + class: phpbb\passwords\driver\phpbb2_md5 + arguments: + - @request + - %core.root_path% + - %core.php_ext% + tags: + - { name: passwords.driver } + passwords.driver_collection: class: phpbb\di\service_collection arguments: diff --git a/phpBB/phpbb/passwords/driver/phpbb2_md5.php b/phpBB/phpbb/passwords/driver/phpbb2_md5.php new file mode 100644 index 0000000000..7796ff6873 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/phpbb2_md5.php @@ -0,0 +1,118 @@ +request = $request; + $this->phpbb_root_path = $phpbb_root_path; + $this->php_ext = $php_ext; + } + + /** + * @inheritdoc + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * @inheritdoc + */ + public function is_legacy() + { + return true; + } + + /** + * @inheritdoc + */ + public function hash($password, $user_row = '') + { + // Do not support hashing + return false; + } + + /** + * @inheritdoc + */ + public function check($password, $hash, $user_row = array()) + { + if (strlen($hash) != 32) + { + return false; + } + + // enable super globals to get literal value + // this is needed to prevent unicode normalization + $super_globals_disabled = $this->request->super_globals_disabled(); + if ($super_globals_disabled) + { + $this->request->enable_super_globals(); + } + + // in phpBB2 passwords were used exactly as they were sent, with addslashes applied + $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : ''; + $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; + $password_new_format = $this->request->variable('password', '', true); + + if ($super_globals_disabled) + { + $this->request->disable_super_globals(); + } + + if ($password == $password_new_format) + { + if (!function_exists('utf8_to_cp1252')) + { + include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext); + } + + if (md5($password_old_format) === $hash || md5(\utf8_to_cp1252($password_old_format)) === $hash) + { + return true; + } + } + + return false; + } + + /** + * @inheritdoc + */ + public function get_settings_only($hash, $full = false) + { + return false; + } +} From 3508409c89acd53943d7e9d1b32982fd021122f0 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 27 May 2014 18:13:06 +0200 Subject: [PATCH 11/33] [ticket/12352] Add tests for phpBB2 md5 passwords driver PHPBB3-12352 --- tests/mock/request.php | 19 ++++++++++++++++ tests/passwords/drivers_test.php | 37 ++++++++++++++++++++++++++++++++ tests/passwords/manager_test.php | 7 ++++++ 3 files changed, 63 insertions(+) diff --git a/tests/mock/request.php b/tests/mock/request.php index 89d5321a25..304fcf0eaf 100644 --- a/tests/mock/request.php +++ b/tests/mock/request.php @@ -15,6 +15,8 @@ class phpbb_mock_request implements \phpbb\request\request_interface { protected $data; + protected $super_globals_disabled = false; + public function __construct($get = array(), $post = array(), $cookie = array(), $server = array(), $request = false, $files = array()) { $this->data[\phpbb\request\request_interface::GET] = $get; @@ -23,6 +25,8 @@ class phpbb_mock_request implements \phpbb\request\request_interface $this->data[\phpbb\request\request_interface::REQUEST] = ($request === false) ? $post + $get : $request; $this->data[\phpbb\request\request_interface::SERVER] = $server; $this->data[\phpbb\request\request_interface::FILES] = $files; + + $this->disable_super_globals(); } public function overwrite($var_name, $value, $super_global = \phpbb\request\request_interface::REQUEST) @@ -83,6 +87,21 @@ class phpbb_mock_request implements \phpbb\request\request_interface return $this->data[$super_global]; } + public function super_globals_disabled() + { + return $this->super_globals_disabled; + } + + public function disable_super_globals() + { + $this->super_globals_disabled = true; + } + + public function enable_super_globals() + { + $this->super_globals_disabled = false; + } + /* custom methods */ public function set_header($header_name, $value) diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php index 5e2518cdea..cff03b02c9 100644 --- a/tests/passwords/drivers_test.php +++ b/tests/passwords/drivers_test.php @@ -17,7 +17,10 @@ class phpbb_passwords_helper_test extends \phpbb_test_case { // Prepare dependencies for drivers $config = new \phpbb\config\config(array()); + $request = new phpbb_mock_request(array(), array(), array(), array(), array('password' => 'fööbar')); $this->driver_helper = new \phpbb\passwords\driver\helper($config); + $phpbb_root_path = dirname(__FILE__) . '/../../phpBB/'; + $php_ext = 'php'; $this->passwords_drivers = array( 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper), @@ -25,6 +28,7 @@ class phpbb_passwords_helper_test extends \phpbb_test_case 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), + 'passwords.driver.phpbb2_md5' => new \phpbb\passwords\driver\phpbb2_md5($request, $phpbb_root_path, $php_ext), ); } @@ -115,4 +119,37 @@ class phpbb_passwords_helper_test extends \phpbb_test_case { $this->assertSame($expected, $this->passwords_drivers[$driver]->get_settings_only($hash)); } + + public function data_phpbb2_md5_check() + { + return array( + array(false, 'foobar', 'ae2fc75e20ee25d4520766788fbc96ae'), + array(false, 'foobar', 'ae2fc75e20ee25d4520766788fbc96aeddsf'), + array(false, 'fööbar', 'ae2fc75e20ee25d4520766788fbc96ae'), + array(true, 'fööbar', 'ae2fc75e20ee25d4520766788fbc96ae', utf8_decode('fööbar')), + ); + } + + /** + * @dataProvider data_phpbb2_md5_check + */ + public function test_phpbb2_md5_check($expected, $password, $hash, $request_password = false) + { + if (!$request_password) + { + unset($_REQUEST['password']); + } + else + { + $_REQUEST['password'] = $request_password; + } + $this->assertSame($expected, $this->passwords_drivers['passwords.driver.phpbb2_md5']->check($password, $hash)); + } + + public function test_phpbb2_md5_unneeded_functions() + { + $this->assertSame(false, $this->passwords_drivers['passwords.driver.phpbb2_md5']->hash('foobar')); + + $this->assertSame(false, $this->passwords_drivers['passwords.driver.phpbb2_md5']->get_settings_only('ae2fc75e20ee25d4520766788fbc96ae')); + } } diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index d0f860c4c5..e925502f18 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -24,6 +24,9 @@ class phpbb_passwords_manager_test extends \phpbb_test_case // Prepare dependencies for manager and driver $config = new \phpbb\config\config(array()); $this->driver_helper = new \phpbb\passwords\driver\helper($config); + $request = new phpbb_mock_request(array(), array(), array(), array(), array('password' => 'töst')); + $phpbb_root_path = dirname(__FILE__) . '/../../phpBB/'; + $php_ext = 'php'; $this->passwords_drivers = array( 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper), @@ -32,6 +35,7 @@ class phpbb_passwords_manager_test extends \phpbb_test_case 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), + 'passwords.driver.phpbb2_md5' => new \phpbb\passwords\driver\phpbb2_md5($request, $phpbb_root_path, $php_ext), ); $this->helper = new \phpbb\passwords\helper; @@ -146,6 +150,9 @@ class phpbb_passwords_manager_test extends \phpbb_test_case array('foobar', '6f9e2a1899e1f15708fd2e554103480eb53e8b57', false, array('login_name' => 'test')), array('foobar', '$CP$6f9e2a1899e1f15708fd2e554103480eb53e8b57', true, array('login_name' => 'test')), array('foobar', '6f9e2a1899', false, array('login_name' => 'test')), + array('fööbar', 'ae2fc75e20ee25d4520766788fbc96ae', false), + array('fööbar', '$CP$ae2fc75e20ee25d4520766788fbc96ae', false), + array(utf8_decode('fööbar'), '$CP$ae2fc75e20ee25d4520766788fbc96ae', true), ); } From b35ed3bc69ac0cdd63791d89f1941b1bb8c69c0b Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Tue, 27 May 2014 18:26:51 +0200 Subject: [PATCH 12/33] [ticket/12352] Add tests for functions in convert password driver PHPBB3-12352 --- tests/passwords/drivers_test.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php index cff03b02c9..70a320f4bd 100644 --- a/tests/passwords/drivers_test.php +++ b/tests/passwords/drivers_test.php @@ -28,6 +28,7 @@ class phpbb_passwords_helper_test extends \phpbb_test_case 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), + 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), 'passwords.driver.phpbb2_md5' => new \phpbb\passwords\driver\phpbb2_md5($request, $phpbb_root_path, $php_ext), ); } @@ -152,4 +153,11 @@ class phpbb_passwords_helper_test extends \phpbb_test_case $this->assertSame(false, $this->passwords_drivers['passwords.driver.phpbb2_md5']->get_settings_only('ae2fc75e20ee25d4520766788fbc96ae')); } + + public function test_convert_password_driver() + { + $this->assertSame(false, $this->passwords_drivers['passwords.driver.convert_password']->hash('foobar')); + + $this->assertSame(false, $this->passwords_drivers['passwords.driver.convert_password']->get_settings_only('ae2fc75e20ee25d4520766788fbc96ae')); + } } From d9e49fae235217ea60dc95d91822cf04e5024db5 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Wed, 28 May 2014 20:02:06 +0200 Subject: [PATCH 13/33] [ticket/12352] Check phpBB2 passwords that have been encrypted with phpass PHPBB3-12352 --- phpBB/config/passwords.yml | 1 + phpBB/phpbb/passwords/driver/phpbb2_md5.php | 19 +++++++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/phpBB/config/passwords.yml b/phpBB/config/passwords.yml index 8e4c27d324..3b21295952 100644 --- a/phpBB/config/passwords.yml +++ b/phpBB/config/passwords.yml @@ -58,6 +58,7 @@ services: class: phpbb\passwords\driver\phpbb2_md5 arguments: - @request + - @passwords.driver.salted_md5 - %core.root_path% - %core.php_ext% tags: diff --git a/phpBB/phpbb/passwords/driver/phpbb2_md5.php b/phpBB/phpbb/passwords/driver/phpbb2_md5.php index 7796ff6873..0f2bf74850 100644 --- a/phpBB/phpbb/passwords/driver/phpbb2_md5.php +++ b/phpBB/phpbb/passwords/driver/phpbb2_md5.php @@ -19,6 +19,9 @@ class phpbb2_md5 extends base /** @var \phpbb\request\request phpBB request object */ protected $request; + /** @var \phpbb\passwords\driver\salted_md5 */ + protected $salted_md5; + /** @var phpBB root path */ protected $phpbb_root_path; @@ -28,13 +31,15 @@ class phpbb2_md5 extends base /** * Constructor of passwords driver object * - * @param \phpbb\request\request $request phpBB request object - * @param string $phpbb_root_path phpBB root path - * @param string $php_ext PHP file extension + * @param \phpbb\request\request $request phpBB request object + * @param \phpbb\passwords\driver\salted_md5 $salted_md5 Salted md5 driver + * @param string $phpbb_root_path phpBB root path + * @param string $php_ext PHP file extension */ - public function __construct($request, $phpbb_root_path, $php_ext) + public function __construct($request, \phpbb\passwords\driver\salted_md5 $salted_md5, $phpbb_root_path, $php_ext) { $this->request = $request; + $this->salted_md5 = $salted_md5; $this->phpbb_root_path = $phpbb_root_path; $this->php_ext = $php_ext; } @@ -69,7 +74,7 @@ class phpbb2_md5 extends base */ public function check($password, $hash, $user_row = array()) { - if (strlen($hash) != 32) + if (strlen($hash) != 32 && strlen($hash) != 34) { return false; } @@ -99,7 +104,9 @@ class phpbb2_md5 extends base include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext); } - if (md5($password_old_format) === $hash || md5(\utf8_to_cp1252($password_old_format)) === $hash) + if (md5($password_old_format) === $hash || md5(\utf8_to_cp1252($password_old_format)) === $hash + || $this->salted_md5->check(md5($password_old_format), $hash) === true + || $this->salted_md5->check(md5(\utf8_to_cp1252($password_old_format)), $hash) === true) { return true; } From 033272f968249a2951cf7dc6867b8f393d113f2d Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Wed, 28 May 2014 20:02:58 +0200 Subject: [PATCH 14/33] [ticket/12352] Add passwords driver for sha1 password hashes PHPBB3-12352 --- phpBB/config/passwords.yml | 8 ++ phpBB/phpbb/passwords/driver/sha1.php | 59 +++++++++++ tests/passwords/drivers_test.php | 143 +++++++++++++++++++++++++- tests/passwords/manager_test.php | 3 +- 4 files changed, 211 insertions(+), 2 deletions(-) create mode 100644 phpBB/phpbb/passwords/driver/sha1.php diff --git a/phpBB/config/passwords.yml b/phpBB/config/passwords.yml index 3b21295952..ae989bccf9 100644 --- a/phpBB/config/passwords.yml +++ b/phpBB/config/passwords.yml @@ -54,6 +54,14 @@ services: tags: - { name: passwords.driver } + passwords.driver.sha1: + class: phpbb\passwords\driver\sha1 + arguments: + - @config + - @passwords.driver_helper + tags: + - { name: passwords.driver } + passwords.driver.phpbb2_md5: class: phpbb\passwords\driver\phpbb2_md5 arguments: diff --git a/phpBB/phpbb/passwords/driver/sha1.php b/phpBB/phpbb/passwords/driver/sha1.php new file mode 100644 index 0000000000..a698392ec6 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/sha1.php @@ -0,0 +1,59 @@ + new \phpbb\passwords\driver\phpass($config, $this->driver_helper), 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), - 'passwords.driver.phpbb2_md5' => new \phpbb\passwords\driver\phpbb2_md5($request, $phpbb_root_path, $php_ext), + 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), ); + $this->passwords_drivers['passwords.driver.phpbb2_md5'] = new \phpbb\passwords\driver\phpbb2_md5($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); } public function data_helper_encode64() @@ -128,6 +129,9 @@ class phpbb_passwords_helper_test extends \phpbb_test_case array(false, 'foobar', 'ae2fc75e20ee25d4520766788fbc96aeddsf'), array(false, 'fööbar', 'ae2fc75e20ee25d4520766788fbc96ae'), array(true, 'fööbar', 'ae2fc75e20ee25d4520766788fbc96ae', utf8_decode('fööbar')), + array(true, 'fööbar', '$H$966CepJh9RC3hFIm7aKywR6jEn0kpA0', utf8_decode('fööbar')), + array(true, 'fööbar', '$H$9rNjgwETtmc8befO8JL1xFMrrMw8MC.', $this->utf8_to_cp1252(utf8_decode('fööbar'))), + array(true, 'fööbar', '$H$9rNjgwETtmc8befO8JL1xFMrrMw8MC.', $this->utf8_to_cp1252('fööbar')), ); } @@ -160,4 +164,141 @@ class phpbb_passwords_helper_test extends \phpbb_test_case $this->assertSame(false, $this->passwords_drivers['passwords.driver.convert_password']->get_settings_only('ae2fc75e20ee25d4520766788fbc96ae')); } + + public function test_sha1_driver() + { + $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha1']->hash('foobar')); + + $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha1']->get_settings_only('ae2fc75e20ee25d4520766788fbc96ae')); + } + + protected function utf8_to_cp1252($string) + { + static $transform = array( + "\xE2\x82\xAC" => "\x80", + "\xE2\x80\x9A" => "\x82", + "\xC6\x92" => "\x83", + "\xE2\x80\x9E" => "\x84", + "\xE2\x80\xA6" => "\x85", + "\xE2\x80\xA0" => "\x86", + "\xE2\x80\xA1" => "\x87", + "\xCB\x86" => "\x88", + "\xE2\x80\xB0" => "\x89", + "\xC5\xA0" => "\x8A", + "\xE2\x80\xB9" => "\x8B", + "\xC5\x92" => "\x8C", + "\xC5\xBD" => "\x8E", + "\xE2\x80\x98" => "\x91", + "\xE2\x80\x99" => "\x92", + "\xE2\x80\x9C" => "\x93", + "\xE2\x80\x9D" => "\x94", + "\xE2\x80\xA2" => "\x95", + "\xE2\x80\x93" => "\x96", + "\xE2\x80\x94" => "\x97", + "\xCB\x9C" => "\x98", + "\xE2\x84\xA2" => "\x99", + "\xC5\xA1" => "\x9A", + "\xE2\x80\xBA" => "\x9B", + "\xC5\x93" => "\x9C", + "\xC5\xBE" => "\x9E", + "\xC5\xB8" => "\x9F", + "\xC2\xA0" => "\xA0", + "\xC2\xA1" => "\xA1", + "\xC2\xA2" => "\xA2", + "\xC2\xA3" => "\xA3", + "\xC2\xA4" => "\xA4", + "\xC2\xA5" => "\xA5", + "\xC2\xA6" => "\xA6", + "\xC2\xA7" => "\xA7", + "\xC2\xA8" => "\xA8", + "\xC2\xA9" => "\xA9", + "\xC2\xAA" => "\xAA", + "\xC2\xAB" => "\xAB", + "\xC2\xAC" => "\xAC", + "\xC2\xAD" => "\xAD", + "\xC2\xAE" => "\xAE", + "\xC2\xAF" => "\xAF", + "\xC2\xB0" => "\xB0", + "\xC2\xB1" => "\xB1", + "\xC2\xB2" => "\xB2", + "\xC2\xB3" => "\xB3", + "\xC2\xB4" => "\xB4", + "\xC2\xB5" => "\xB5", + "\xC2\xB6" => "\xB6", + "\xC2\xB7" => "\xB7", + "\xC2\xB8" => "\xB8", + "\xC2\xB9" => "\xB9", + "\xC2\xBA" => "\xBA", + "\xC2\xBB" => "\xBB", + "\xC2\xBC" => "\xBC", + "\xC2\xBD" => "\xBD", + "\xC2\xBE" => "\xBE", + "\xC2\xBF" => "\xBF", + "\xC3\x80" => "\xC0", + "\xC3\x81" => "\xC1", + "\xC3\x82" => "\xC2", + "\xC3\x83" => "\xC3", + "\xC3\x84" => "\xC4", + "\xC3\x85" => "\xC5", + "\xC3\x86" => "\xC6", + "\xC3\x87" => "\xC7", + "\xC3\x88" => "\xC8", + "\xC3\x89" => "\xC9", + "\xC3\x8A" => "\xCA", + "\xC3\x8B" => "\xCB", + "\xC3\x8C" => "\xCC", + "\xC3\x8D" => "\xCD", + "\xC3\x8E" => "\xCE", + "\xC3\x8F" => "\xCF", + "\xC3\x90" => "\xD0", + "\xC3\x91" => "\xD1", + "\xC3\x92" => "\xD2", + "\xC3\x93" => "\xD3", + "\xC3\x94" => "\xD4", + "\xC3\x95" => "\xD5", + "\xC3\x96" => "\xD6", + "\xC3\x97" => "\xD7", + "\xC3\x98" => "\xD8", + "\xC3\x99" => "\xD9", + "\xC3\x9A" => "\xDA", + "\xC3\x9B" => "\xDB", + "\xC3\x9C" => "\xDC", + "\xC3\x9D" => "\xDD", + "\xC3\x9E" => "\xDE", + "\xC3\x9F" => "\xDF", + "\xC3\xA0" => "\xE0", + "\xC3\xA1" => "\xE1", + "\xC3\xA2" => "\xE2", + "\xC3\xA3" => "\xE3", + "\xC3\xA4" => "\xE4", + "\xC3\xA5" => "\xE5", + "\xC3\xA6" => "\xE6", + "\xC3\xA7" => "\xE7", + "\xC3\xA8" => "\xE8", + "\xC3\xA9" => "\xE9", + "\xC3\xAA" => "\xEA", + "\xC3\xAB" => "\xEB", + "\xC3\xAC" => "\xEC", + "\xC3\xAD" => "\xED", + "\xC3\xAE" => "\xEE", + "\xC3\xAF" => "\xEF", + "\xC3\xB0" => "\xF0", + "\xC3\xB1" => "\xF1", + "\xC3\xB2" => "\xF2", + "\xC3\xB3" => "\xF3", + "\xC3\xB4" => "\xF4", + "\xC3\xB5" => "\xF5", + "\xC3\xB6" => "\xF6", + "\xC3\xB7" => "\xF7", + "\xC3\xB8" => "\xF8", + "\xC3\xB9" => "\xF9", + "\xC3\xBA" => "\xFA", + "\xC3\xBB" => "\xFB", + "\xC3\xBC" => "\xFC", + "\xC3\xBD" => "\xFD", + "\xC3\xBE" => "\xFE", + "\xC3\xBF" => "\xFF" + ); + return strtr($string, $transform); + } } diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index e925502f18..24243d76c4 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -35,8 +35,9 @@ class phpbb_passwords_manager_test extends \phpbb_test_case 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), - 'passwords.driver.phpbb2_md5' => new \phpbb\passwords\driver\phpbb2_md5($request, $phpbb_root_path, $php_ext), + 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), ); + $this->passwords_drivers['passwords.driver.phpbb2_md5'] = new \phpbb\passwords\driver\phpbb2_md5($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); $this->helper = new \phpbb\passwords\helper; // Set up passwords manager From dc5a5a7cdfae8ba8e300b7db46eaa64fcc70824c Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Wed, 28 May 2014 20:35:01 +0200 Subject: [PATCH 15/33] [ticket/12352] Rename phpbb2_md5 driver to fit filenames of other drivers PHPBB3-12352 --- phpBB/config/passwords.yml | 4 ++-- .../driver/{phpbb2_md5.php => md5_phpbb2.php} | 4 ++-- tests/passwords/drivers_test.php | 16 ++++++++-------- tests/passwords/manager_test.php | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) rename phpBB/phpbb/passwords/driver/{phpbb2_md5.php => md5_phpbb2.php} (97%) diff --git a/phpBB/config/passwords.yml b/phpBB/config/passwords.yml index ae989bccf9..f712e84b42 100644 --- a/phpBB/config/passwords.yml +++ b/phpBB/config/passwords.yml @@ -62,8 +62,8 @@ services: tags: - { name: passwords.driver } - passwords.driver.phpbb2_md5: - class: phpbb\passwords\driver\phpbb2_md5 + passwords.driver.md5_phpbb2: + class: phpbb\passwords\driver\md5_phpbb2 arguments: - @request - @passwords.driver.salted_md5 diff --git a/phpBB/phpbb/passwords/driver/phpbb2_md5.php b/phpBB/phpbb/passwords/driver/md5_phpbb2.php similarity index 97% rename from phpBB/phpbb/passwords/driver/phpbb2_md5.php rename to phpBB/phpbb/passwords/driver/md5_phpbb2.php index 0f2bf74850..41a589d3b8 100644 --- a/phpBB/phpbb/passwords/driver/phpbb2_md5.php +++ b/phpBB/phpbb/passwords/driver/md5_phpbb2.php @@ -12,9 +12,9 @@ namespace phpbb\passwords\driver; /** * @package passwords */ -class phpbb2_md5 extends base +class md5_phpbb2 extends base { - const PREFIX = '$phpbb2_md5$'; + const PREFIX = '$md5_phpbb2$'; /** @var \phpbb\request\request phpBB request object */ protected $request; diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php index 0ac4719b45..3ef39df709 100644 --- a/tests/passwords/drivers_test.php +++ b/tests/passwords/drivers_test.php @@ -31,7 +31,7 @@ class phpbb_passwords_helper_test extends \phpbb_test_case 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), ); - $this->passwords_drivers['passwords.driver.phpbb2_md5'] = new \phpbb\passwords\driver\phpbb2_md5($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); + $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); } public function data_helper_encode64() @@ -122,7 +122,7 @@ class phpbb_passwords_helper_test extends \phpbb_test_case $this->assertSame($expected, $this->passwords_drivers[$driver]->get_settings_only($hash)); } - public function data_phpbb2_md5_check() + public function data_md5_phpbb2_check() { return array( array(false, 'foobar', 'ae2fc75e20ee25d4520766788fbc96ae'), @@ -136,9 +136,9 @@ class phpbb_passwords_helper_test extends \phpbb_test_case } /** - * @dataProvider data_phpbb2_md5_check + * @dataProvider data_md5_phpbb2_check */ - public function test_phpbb2_md5_check($expected, $password, $hash, $request_password = false) + public function test_md5_phpbb2_check($expected, $password, $hash, $request_password = false) { if (!$request_password) { @@ -148,14 +148,14 @@ class phpbb_passwords_helper_test extends \phpbb_test_case { $_REQUEST['password'] = $request_password; } - $this->assertSame($expected, $this->passwords_drivers['passwords.driver.phpbb2_md5']->check($password, $hash)); + $this->assertSame($expected, $this->passwords_drivers['passwords.driver.md5_phpbb2']->check($password, $hash)); } - public function test_phpbb2_md5_unneeded_functions() + public function test_md5_phpbb2_unneeded_functions() { - $this->assertSame(false, $this->passwords_drivers['passwords.driver.phpbb2_md5']->hash('foobar')); + $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_phpbb2']->hash('foobar')); - $this->assertSame(false, $this->passwords_drivers['passwords.driver.phpbb2_md5']->get_settings_only('ae2fc75e20ee25d4520766788fbc96ae')); + $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_phpbb2']->get_settings_only('ae2fc75e20ee25d4520766788fbc96ae')); } public function test_convert_password_driver() diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index 24243d76c4..2a53d79027 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -37,7 +37,7 @@ class phpbb_passwords_manager_test extends \phpbb_test_case 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), ); - $this->passwords_drivers['passwords.driver.phpbb2_md5'] = new \phpbb\passwords\driver\phpbb2_md5($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); + $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); $this->helper = new \phpbb\passwords\helper; // Set up passwords manager From af25aef04ca3ee39cd1597b356638e883ccf72fa Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Wed, 28 May 2014 21:03:17 +0200 Subject: [PATCH 16/33] [ticket/12352] Add driver for myBB md5 passwords PHPBB3-12352 --- phpBB/config/passwords.yml | 8 +++ phpBB/phpbb/passwords/driver/md5_mybb.php | 59 +++++++++++++++++++++++ tests/passwords/drivers_test.php | 25 ++++++++++ tests/passwords/manager_test.php | 1 + 4 files changed, 93 insertions(+) create mode 100644 phpBB/phpbb/passwords/driver/md5_mybb.php diff --git a/phpBB/config/passwords.yml b/phpBB/config/passwords.yml index f712e84b42..4b89d5d81a 100644 --- a/phpBB/config/passwords.yml +++ b/phpBB/config/passwords.yml @@ -72,6 +72,14 @@ services: tags: - { name: passwords.driver } + passwords.driver.md5_mybb: + class: phpbb\passwords\driver\md5_mybb + arguments: + - @config + - @passwords.driver_helper + tags: + - { name: passwords.driver } + passwords.driver_collection: class: phpbb\di\service_collection arguments: diff --git a/phpBB/phpbb/passwords/driver/md5_mybb.php b/phpBB/phpbb/passwords/driver/md5_mybb.php new file mode 100644 index 0000000000..9406546798 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/md5_mybb.php @@ -0,0 +1,59 @@ + new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), + 'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper), ); $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); } @@ -172,6 +173,30 @@ class phpbb_passwords_helper_test extends \phpbb_test_case $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha1']->get_settings_only('ae2fc75e20ee25d4520766788fbc96ae')); } + public function data_md5_mybb_check() + { + return array( + array(false, 'foobar', '083d11daea8675b1b4b502c7e55f8dbd'), + array(false, 'foobar', '083d11daea8675b1b4b502c7e55f8dbd', array('user_passwd_salt' => 'ae2fc75e')), + array(true, 'foobar', '6022de2cc0ecf59ff14b57c6205ee170', array('user_passwd_salt' => 'ae2fc75e')), + ); + } + + /** + * @dataProvider data_md5_mybb_check + */ + public function test_md5_mybb_check($expected, $password, $hash, $user_row = array()) + { + $this->assertSame($expected, $this->passwords_drivers['passwords.driver.md5_mybb']->check($password, $hash, $user_row)); + } + + public function test_md5_mybb_driver() + { + $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_mybb']->hash('foobar')); + + $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_mybb']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); + } + protected function utf8_to_cp1252($string) { static $transform = array( diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index 2a53d79027..e2ec1972bb 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -36,6 +36,7 @@ class phpbb_passwords_manager_test extends \phpbb_test_case 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), + 'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper), ); $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); From 252a061864b631ac2536f589d9c7da3810d82357 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 29 May 2014 12:13:02 +0200 Subject: [PATCH 17/33] [ticket/12352] Use correct hashing method in md5_mybb driver PHPBB3-12352 --- phpBB/phpbb/passwords/driver/md5_mybb.php | 10 +++++++++- tests/passwords/drivers_test.php | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/phpBB/phpbb/passwords/driver/md5_mybb.php b/phpBB/phpbb/passwords/driver/md5_mybb.php index 9406546798..ca416c4401 100644 --- a/phpBB/phpbb/passwords/driver/md5_mybb.php +++ b/phpBB/phpbb/passwords/driver/md5_mybb.php @@ -46,7 +46,15 @@ class md5_mybb extends base */ public function check($password, $hash, $user_row = array()) { - return (!empty($hash) && isset($user_row['user_passwd_salt'])) ? $hash === md5($user_row['user_passwd_salt'] . md5($password)) : false; + if (empty(hash) || !isset($user_row['user_passwd_salt'])) + { + return false; + } + else + { + // Works for myBB 1.1.x, 1.2.x, 1.4.x, 1.6.x + return $hash === md5(md5($user_row['user_passwd_salt']) . md5($password)); + } } /** diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php index 1f900340c7..146f979a27 100644 --- a/tests/passwords/drivers_test.php +++ b/tests/passwords/drivers_test.php @@ -178,7 +178,7 @@ class phpbb_passwords_helper_test extends \phpbb_test_case return array( array(false, 'foobar', '083d11daea8675b1b4b502c7e55f8dbd'), array(false, 'foobar', '083d11daea8675b1b4b502c7e55f8dbd', array('user_passwd_salt' => 'ae2fc75e')), - array(true, 'foobar', '6022de2cc0ecf59ff14b57c6205ee170', array('user_passwd_salt' => 'ae2fc75e')), + array(true, 'foobar', 'b86ee7e24008bfd2890dcfab1ed31333', array('user_passwd_salt' => 'yeOtfFO6')), ); } From c6e1b51d786857478d2c20050c01f92ac2f8ac76 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 29 May 2014 14:00:42 +0200 Subject: [PATCH 18/33] [ticket/12352] Add passwords driver for vB passwords PHPBB3-12352 --- phpBB/config/passwords.yml | 8 +++ phpBB/phpbb/passwords/driver/md5_vb.php | 67 +++++++++++++++++++++++++ tests/passwords/drivers_test.php | 29 ++++++++++- tests/passwords/manager_test.php | 1 + 4 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 phpBB/phpbb/passwords/driver/md5_vb.php diff --git a/phpBB/config/passwords.yml b/phpBB/config/passwords.yml index 4b89d5d81a..52a1bd7e5a 100644 --- a/phpBB/config/passwords.yml +++ b/phpBB/config/passwords.yml @@ -80,6 +80,14 @@ services: tags: - { name: passwords.driver } + passwords.driver.md5_vb: + class: phpbb\passwords\driver\md5_vb + arguments: + - @config + - @passwords.driver_helper + tags: + - { name: passwords.driver } + passwords.driver_collection: class: phpbb\di\service_collection arguments: diff --git a/phpBB/phpbb/passwords/driver/md5_vb.php b/phpBB/phpbb/passwords/driver/md5_vb.php new file mode 100644 index 0000000000..9d87503266 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/md5_vb.php @@ -0,0 +1,67 @@ + new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), - 'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper), + 'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper), + 'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper), ); $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); } @@ -197,6 +198,32 @@ class phpbb_passwords_helper_test extends \phpbb_test_case $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_mybb']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); } + public function data_md5_vb_check() + { + return array( + array(false, 'foobar', '083d11daea8675b1b4b502c7e55f8dbd'), + array(false, 'foobar', 'b86ee7e24008bfd2890dcfab1ed31333', array('user_passwd_salt' => 'yeOtfFO6')), + array(true, 'foobar', 'b452c54c44c588fc095d2d000935c470', array('user_passwd_salt' => '9^F')), + array(true, 'foobar', 'f23a8241bd115d270c703213e3ef7f52', array('user_passwd_salt' => 'iaU*U%`CBl;/e~>D%do2m@Xf/,KZB0')), + array(false, 'nope', 'f23a8241bd115d270c703213e3ef7f52', array('user_passwd_salt' => 'iaU*U%`CBl;/e~>D%do2m@Xf/,KZB0')), + ); + } + + /** + * @dataProvider data_md5_vb_check + */ + public function test_md5_vb_check($expected, $password, $hash, $user_row = array()) + { + $this->assertSame($expected, $this->passwords_drivers['passwords.driver.md5_vb']->check($password, $hash, $user_row)); + } + + public function test_md5_vb_driver() + { + $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_vb']->hash('foobar')); + + $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_vb']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); + } + protected function utf8_to_cp1252($string) { static $transform = array( diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index e2ec1972bb..959bc9a88c 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -37,6 +37,7 @@ class phpbb_passwords_manager_test extends \phpbb_test_case 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), 'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper), + 'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper), ); $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); From 146d3cfe7534d226530e0a42fa3fff37d26608f2 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 29 May 2014 14:01:10 +0200 Subject: [PATCH 19/33] [ticket/12352] Fix spacing in passwords tests PHPBB3-12352 --- tests/passwords/drivers_test.php | 6 +++--- tests/passwords/manager_test.php | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php index d67aead75a..6861e5f805 100644 --- a/tests/passwords/drivers_test.php +++ b/tests/passwords/drivers_test.php @@ -24,11 +24,11 @@ class phpbb_passwords_helper_test extends \phpbb_test_case $this->passwords_drivers = array( 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper), - 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper), + 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper), 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), - 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), + 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), - 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), + 'passwords.driver.convert_password'=> new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), 'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper), 'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper), diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index 959bc9a88c..c6ae7db036 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -29,13 +29,13 @@ class phpbb_passwords_manager_test extends \phpbb_test_case $php_ext = 'php'; $this->passwords_drivers = array( - 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper), + 'passwords.driver.bcrypt_2y' => new \phpbb\passwords\driver\bcrypt_2y($config, $this->driver_helper), 'passwords.driver.bcrypt' => new \phpbb\passwords\driver\bcrypt($config, $this->driver_helper), - 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), + 'passwords.driver.salted_md5' => new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), - 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), - 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), + 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), + 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), 'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper), 'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper), ); From 61a5fd59cf020e552fae7f28b354726edf4b6b7d Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 29 May 2014 14:08:10 +0200 Subject: [PATCH 20/33] [ticket/12352] Add missing $ to md5_mybb and md5_vb driver PHPBB3-12352 --- phpBB/phpbb/passwords/driver/md5_mybb.php | 2 +- phpBB/phpbb/passwords/driver/md5_vb.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/phpBB/phpbb/passwords/driver/md5_mybb.php b/phpBB/phpbb/passwords/driver/md5_mybb.php index ca416c4401..59a08039f2 100644 --- a/phpBB/phpbb/passwords/driver/md5_mybb.php +++ b/phpBB/phpbb/passwords/driver/md5_mybb.php @@ -46,7 +46,7 @@ class md5_mybb extends base */ public function check($password, $hash, $user_row = array()) { - if (empty(hash) || !isset($user_row['user_passwd_salt'])) + if (empty($hash) || !isset($user_row['user_passwd_salt'])) { return false; } diff --git a/phpBB/phpbb/passwords/driver/md5_vb.php b/phpBB/phpbb/passwords/driver/md5_vb.php index 9d87503266..719c6279aa 100644 --- a/phpBB/phpbb/passwords/driver/md5_vb.php +++ b/phpBB/phpbb/passwords/driver/md5_vb.php @@ -46,7 +46,7 @@ class md5_vb extends base */ public function check($password, $hash, $user_row = array()) { - if (empty(hash) || !isset($user_row['user_passwd_salt'])) + if (empty($hash) || !isset($user_row['user_passwd_salt'])) { return false; } From 2d7593995ee888da709e21051c4566b3740ef7f2 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 29 May 2014 16:32:48 +0200 Subject: [PATCH 21/33] [ticket/12352] Add driver for woltlab community framework 2 passwords PHPBB3-12352 --- phpBB/config/passwords.yml | 8 ++ phpBB/phpbb/passwords/driver/bcrypt_wcf2.php | 91 ++++++++++++++++++++ tests/passwords/drivers_test.php | 1 + tests/passwords/manager_test.php | 1 + 4 files changed, 101 insertions(+) create mode 100644 phpBB/phpbb/passwords/driver/bcrypt_wcf2.php diff --git a/phpBB/config/passwords.yml b/phpBB/config/passwords.yml index 52a1bd7e5a..56bbd39917 100644 --- a/phpBB/config/passwords.yml +++ b/phpBB/config/passwords.yml @@ -22,6 +22,14 @@ services: tags: - { name: passwords.driver } + passwords.driver.bcrypt_wcf2: + class: phpbb\passwords\driver\bcrypt_wcf2 + arguments: + - @passwords.driver.bcrypt + - @passwords.driver_helper + tags: + - { name: passwords.driver } + passwords.driver.salted_md5: class: phpbb\passwords\driver\salted_md5 arguments: diff --git a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php new file mode 100644 index 0000000000..636fe74789 --- /dev/null +++ b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php @@ -0,0 +1,91 @@ +bcrypt = $bcrypt; + $this->helper = $helper; + } + + /** + * @inheritdoc + */ + public function get_prefix() + { + return self::PREFIX; + } + + /** + * @inheritdoc + */ + public function is_legacy() + { + return true; + } + + /** + * @inheritdoc + */ + public function hash($password, $user_row = '') + { + // Do not support hashing + return false; + } + + /** + * @inheritdoc + */ + public function check($password, $hash, $user_row = array()) + { + if (empty($hash)) + { + return false; + } + else + { + $salt = substr($hash, 0, 29); + + if (strlen($salt) != 29) + { + return false; + } + // Works for standard WCF 2.x, i.e. WBB4 and similar + return $hash === $this->bcrypt->hash($this->bcrypt->hash($password, $salt), $salt); + } + } + + /** + * @inheritdoc + */ + public function get_settings_only($hash, $full = false) + { + return false; + } +} diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php index 6861e5f805..0254db2016 100644 --- a/tests/passwords/drivers_test.php +++ b/tests/passwords/drivers_test.php @@ -34,6 +34,7 @@ class phpbb_passwords_helper_test extends \phpbb_test_case 'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper), ); $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); + $this->passwords_drivers['passwords.driver.bcrypt_wcf2'] = new \phpbb\passwords\driver\bcrypt_wcf2($this->passwords_drivers['passwords.driver.bcrypt'], $this->driver_helper); } public function data_helper_encode64() diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index c6ae7db036..91e1035791 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -40,6 +40,7 @@ class phpbb_passwords_manager_test extends \phpbb_test_case 'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper), ); $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); + $this->passwords_drivers['passwords.driver.bcrypt_wcf2'] = new \phpbb\passwords\driver\bcrypt_wcf2($this->passwords_drivers['passwords.driver.bcrypt'], $this->driver_helper); $this->helper = new \phpbb\passwords\helper; // Set up passwords manager From cf61d35d75bc8b608fb1ee4f5313e797af7ea584 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 29 May 2014 16:33:35 +0200 Subject: [PATCH 22/33] [ticket/12352] Add driver for woltlab community framework 1 passwords PHPBB3-12352 --- phpBB/config/passwords.yml | 8 +++ phpBB/phpbb/passwords/driver/sha1_wcf1.php | 67 ++++++++++++++++++++++ tests/passwords/drivers_test.php | 1 + tests/passwords/manager_test.php | 1 + 4 files changed, 77 insertions(+) create mode 100644 phpBB/phpbb/passwords/driver/sha1_wcf1.php diff --git a/phpBB/config/passwords.yml b/phpBB/config/passwords.yml index 56bbd39917..3dc217286f 100644 --- a/phpBB/config/passwords.yml +++ b/phpBB/config/passwords.yml @@ -62,6 +62,14 @@ services: tags: - { name: passwords.driver } + passwords.driver.sha1_wcf1: + class: phpbb\passwords\driver\sha1_wcf1 + arguments: + - @config + - @passwords.driver_helper + tags: + - { name: passwords.driver } + passwords.driver.sha1: class: phpbb\passwords\driver\sha1 arguments: diff --git a/phpBB/phpbb/passwords/driver/sha1_wcf1.php b/phpBB/phpbb/passwords/driver/sha1_wcf1.php new file mode 100644 index 0000000000..4c1b449c0a --- /dev/null +++ b/phpBB/phpbb/passwords/driver/sha1_wcf1.php @@ -0,0 +1,67 @@ + new \phpbb\passwords\driver\salted_md5($config, $this->driver_helper), 'passwords.driver.phpass' => new \phpbb\passwords\driver\phpass($config, $this->driver_helper), 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), + 'passwords.driver.sha1_wcf1' => new \phpbb\passwords\driver\sha1_wcf1($config, $this->driver_helper), 'passwords.driver.convert_password'=> new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), 'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper), diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index 91e1035791..e0cf0913c6 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -36,6 +36,7 @@ class phpbb_passwords_manager_test extends \phpbb_test_case 'passwords.driver.convert_password' => new \phpbb\passwords\driver\convert_password($config, $this->driver_helper), 'passwords.driver.sha1_smf' => new \phpbb\passwords\driver\sha1_smf($config, $this->driver_helper), 'passwords.driver.sha1' => new \phpbb\passwords\driver\sha1($config, $this->driver_helper), + 'passwords.driver.sha1_wcf1' => new \phpbb\passwords\driver\sha1_wcf1($config, $this->driver_helper), 'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper), 'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper), ); From 97c36b00b36a0191a453fd265c4d5f651da065bb Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 29 May 2014 16:33:59 +0200 Subject: [PATCH 23/33] [ticket/12352] Add tests for wcf1 and wcf2 drivers PHPBB3-12352 --- tests/passwords/drivers_test.php | 48 ++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php index 1bc2165ed7..494b73702e 100644 --- a/tests/passwords/drivers_test.php +++ b/tests/passwords/drivers_test.php @@ -226,6 +226,54 @@ class phpbb_passwords_helper_test extends \phpbb_test_case $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_vb']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); } + public function data_sha1_wcf1_check() + { + return array( + array(false, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff'), + array(false, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff', array('user_passwd_salt' => 'yeOtfFO6')), + array(true, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff', array('user_passwd_salt' => '1a783e478d63f6422783a868db667aed3a857840')), + ); + } + + /** + * @dataProvider data_sha1_wcf1_check + */ + public function test_sha1_wcf1_check($expected, $password, $hash, $user_row = array()) + { + $this->assertSame($expected, $this->passwords_drivers['passwords.driver.sha1_wcf1']->check($password, $hash, $user_row)); + } + + public function test_sha1_wcf1_driver() + { + $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha1_wcf1']->hash('foobar')); + + $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha1_wcf1']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); + } + + public function data_bcrypt_wcf2_check() + { + return array( + array(false, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff'), + array(true, 'foobar', '$2a$08$p8h14U0jsEiVb1Luy.s8oOTXSQ0hVWUXpcNGBoCezeYNXrQyCKHfi'), + array(false, 'foobar', ''), + ); + } + + /** + * @dataProvider data_bcrypt_wcf2_check + */ + public function test_bcrypt_wcf2_check($expected, $password, $hash) + { + $this->assertSame($expected, $this->passwords_drivers['passwords.driver.bcrypt_wcf2']->check($password, $hash)); + } + + public function test_bcrypt_wcf2_driver() + { + $this->assertSame(false, $this->passwords_drivers['passwords.driver.bcrypt_wcf2']->hash('foobar')); + + $this->assertSame(false, $this->passwords_drivers['passwords.driver.bcrypt_wcf2']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); + } + protected function utf8_to_cp1252($string) { static $transform = array( From f3eba6275a6965f866b6e3bed7ce5330a14eb960 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Thu, 29 May 2014 22:50:21 +0200 Subject: [PATCH 24/33] [ticket/12352] Add passwords driver for xenforo 1.0, 1.1 passwords PHPBB3-12352 --- phpBB/phpbb/passwords/driver/sha_xf1.php | 75 ++++++++++++++++++++++++ tests/passwords/drivers_test.php | 26 ++++++++ tests/passwords/manager_test.php | 1 + 3 files changed, 102 insertions(+) create mode 100644 phpBB/phpbb/passwords/driver/sha_xf1.php diff --git a/phpBB/phpbb/passwords/driver/sha_xf1.php b/phpBB/phpbb/passwords/driver/sha_xf1.php new file mode 100644 index 0000000000..0dd21b10fe --- /dev/null +++ b/phpBB/phpbb/passwords/driver/sha_xf1.php @@ -0,0 +1,75 @@ + new \phpbb\passwords\driver\sha1($config, $this->driver_helper), 'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper), 'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper), + 'passwords.driver.sha_xf1' => new \phpbb\passwords\driver\sha_xf1($config, $this->driver_helper), ); $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); $this->passwords_drivers['passwords.driver.bcrypt_wcf2'] = new \phpbb\passwords\driver\bcrypt_wcf2($this->passwords_drivers['passwords.driver.bcrypt'], $this->driver_helper); @@ -274,6 +275,31 @@ class phpbb_passwords_helper_test extends \phpbb_test_case $this->assertSame(false, $this->passwords_drivers['passwords.driver.bcrypt_wcf2']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); } + public function data_sha_xf1_check() + { + return array( + array(false, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff'), + array(false, 'foobar', 'fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff', array('user_passwd_salt' => 'yeOtfFO6')), + array(true, 'foobar', '7f65d2fa8a826d232f8134772252f8b1aaef8594b1edcabd9ab65e5b0f236ff0', array('user_passwd_salt' => '15b6c02cedbd727f563dcca607a89b085287b448966f19c0cc78cae263b1e38c')), + array(true, 'foobar', '69962ae2079420573a3948cc4dedbabd35680051', array('user_passwd_salt' => '15b6c02cedbd727f563dcca607a89b085287b448966f19c0cc78cae263b1e38c')), + ); + } + + /** + * @dataProvider data_sha_xf1_check + */ + public function test_sha_xf1_check($expected, $password, $hash, $user_row = array()) + { + $this->assertSame($expected, $this->passwords_drivers['passwords.driver.sha_xf1']->check($password, $hash, $user_row)); + } + + public function test_sha_xf1_driver() + { + $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha_xf1']->hash('foobar')); + + $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha_xf1']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); + } + protected function utf8_to_cp1252($string) { static $transform = array( diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index e0cf0913c6..714b9d8ebf 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -39,6 +39,7 @@ class phpbb_passwords_manager_test extends \phpbb_test_case 'passwords.driver.sha1_wcf1' => new \phpbb\passwords\driver\sha1_wcf1($config, $this->driver_helper), 'passwords.driver.md5_mybb' => new \phpbb\passwords\driver\md5_mybb($config, $this->driver_helper), 'passwords.driver.md5_vb' => new \phpbb\passwords\driver\md5_vb($config, $this->driver_helper), + 'passwords.driver.sha_xf1' => new \phpbb\passwords\driver\sha_xf1($config, $this->driver_helper), ); $this->passwords_drivers['passwords.driver.md5_phpbb2'] = new \phpbb\passwords\driver\md5_phpbb2($request, $this->passwords_drivers['passwords.driver.salted_md5'], $phpbb_root_path, $php_ext); $this->passwords_drivers['passwords.driver.bcrypt_wcf2'] = new \phpbb\passwords\driver\bcrypt_wcf2($this->passwords_drivers['passwords.driver.bcrypt'], $this->driver_helper); From 4b3aacfd18a8a3334532f9fcc830affb5f12963b Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 30 May 2014 00:22:55 +0200 Subject: [PATCH 25/33] [ticket/12352] Add get_settings_only method to passwords driver base PHPBB3-12352 --- phpBB/phpbb/passwords/driver/base.php | 8 ++++++++ phpBB/phpbb/passwords/driver/bcrypt_wcf2.php | 8 -------- .../passwords/driver/convert_password.php | 8 -------- phpBB/phpbb/passwords/driver/md5_mybb.php | 8 -------- phpBB/phpbb/passwords/driver/md5_phpbb2.php | 8 -------- phpBB/phpbb/passwords/driver/md5_vb.php | 8 -------- phpBB/phpbb/passwords/driver/sha1.php | 8 -------- phpBB/phpbb/passwords/driver/sha1_smf.php | 8 -------- phpBB/phpbb/passwords/driver/sha1_wcf1.php | 8 -------- phpBB/phpbb/passwords/driver/sha_xf1.php | 8 -------- tests/passwords/drivers_test.php | 18 +----------------- 11 files changed, 9 insertions(+), 89 deletions(-) diff --git a/phpBB/phpbb/passwords/driver/base.php b/phpBB/phpbb/passwords/driver/base.php index b74c2d3d72..1d47180e55 100644 --- a/phpBB/phpbb/passwords/driver/base.php +++ b/phpBB/phpbb/passwords/driver/base.php @@ -51,4 +51,12 @@ abstract class base implements driver_interface { return false; } + + /** + * @inheritdoc + */ + public function get_settings_only($hash, $full = false) + { + return false; + } } diff --git a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php index 636fe74789..ecfef9de18 100644 --- a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php +++ b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php @@ -80,12 +80,4 @@ class bcrypt_wcf2 extends base return $hash === $this->bcrypt->hash($this->bcrypt->hash($password, $salt), $salt); } } - - /** - * @inheritdoc - */ - public function get_settings_only($hash, $full = false) - { - return false; - } } diff --git a/phpBB/phpbb/passwords/driver/convert_password.php b/phpBB/phpbb/passwords/driver/convert_password.php index 354c6b9ff3..97c7bcb8ab 100644 --- a/phpBB/phpbb/passwords/driver/convert_password.php +++ b/phpBB/phpbb/passwords/driver/convert_password.php @@ -39,12 +39,4 @@ class convert_password extends base { return false; } - - /** - * @inheritdoc - */ - public function get_settings_only($hash, $full = false) - { - return false; - } } diff --git a/phpBB/phpbb/passwords/driver/md5_mybb.php b/phpBB/phpbb/passwords/driver/md5_mybb.php index 59a08039f2..d17f3ea035 100644 --- a/phpBB/phpbb/passwords/driver/md5_mybb.php +++ b/phpBB/phpbb/passwords/driver/md5_mybb.php @@ -56,12 +56,4 @@ class md5_mybb extends base return $hash === md5(md5($user_row['user_passwd_salt']) . md5($password)); } } - - /** - * @inheritdoc - */ - public function get_settings_only($hash, $full = false) - { - return false; - } } diff --git a/phpBB/phpbb/passwords/driver/md5_phpbb2.php b/phpBB/phpbb/passwords/driver/md5_phpbb2.php index 41a589d3b8..093e3b4c65 100644 --- a/phpBB/phpbb/passwords/driver/md5_phpbb2.php +++ b/phpBB/phpbb/passwords/driver/md5_phpbb2.php @@ -114,12 +114,4 @@ class md5_phpbb2 extends base return false; } - - /** - * @inheritdoc - */ - public function get_settings_only($hash, $full = false) - { - return false; - } } diff --git a/phpBB/phpbb/passwords/driver/md5_vb.php b/phpBB/phpbb/passwords/driver/md5_vb.php index 719c6279aa..00b691dd63 100644 --- a/phpBB/phpbb/passwords/driver/md5_vb.php +++ b/phpBB/phpbb/passwords/driver/md5_vb.php @@ -56,12 +56,4 @@ class md5_vb extends base return $hash === md5(md5($password) . $user_row['user_passwd_salt']); } } - - /** - * @inheritdoc - */ - public function get_settings_only($hash, $full = false) - { - return false; - } } diff --git a/phpBB/phpbb/passwords/driver/sha1.php b/phpBB/phpbb/passwords/driver/sha1.php index a698392ec6..35cd64769b 100644 --- a/phpBB/phpbb/passwords/driver/sha1.php +++ b/phpBB/phpbb/passwords/driver/sha1.php @@ -48,12 +48,4 @@ class sha1 extends base { return $hash === sha1($password); } - - /** - * @inheritdoc - */ - public function get_settings_only($hash, $full = false) - { - return false; - } } diff --git a/phpBB/phpbb/passwords/driver/sha1_smf.php b/phpBB/phpbb/passwords/driver/sha1_smf.php index f7f5587485..92181ccef2 100644 --- a/phpBB/phpbb/passwords/driver/sha1_smf.php +++ b/phpBB/phpbb/passwords/driver/sha1_smf.php @@ -47,12 +47,4 @@ class sha1_smf extends base { return $hash === $this->hash($password, $user_row); } - - /** - * @inheritdoc - */ - public function get_settings_only($hash, $full = false) - { - return false; - } } diff --git a/phpBB/phpbb/passwords/driver/sha1_wcf1.php b/phpBB/phpbb/passwords/driver/sha1_wcf1.php index 4c1b449c0a..5241dc345f 100644 --- a/phpBB/phpbb/passwords/driver/sha1_wcf1.php +++ b/phpBB/phpbb/passwords/driver/sha1_wcf1.php @@ -56,12 +56,4 @@ class sha1_wcf1 extends base return $hash === sha1($user_row['user_passwd_salt'] . sha1($user_row['user_passwd_salt'] . sha1($password))); } } - - /** - * @inheritdoc - */ - public function get_settings_only($hash, $full = false) - { - return false; - } } diff --git a/phpBB/phpbb/passwords/driver/sha_xf1.php b/phpBB/phpbb/passwords/driver/sha_xf1.php index 0dd21b10fe..4b5e4a0b26 100644 --- a/phpBB/phpbb/passwords/driver/sha_xf1.php +++ b/phpBB/phpbb/passwords/driver/sha_xf1.php @@ -64,12 +64,4 @@ class sha_xf1 extends base } } } - - /** - * @inheritdoc - */ - public function get_settings_only($hash, $full = false) - { - return false; - } } diff --git a/tests/passwords/drivers_test.php b/tests/passwords/drivers_test.php index d562f50d25..ccfb05c40f 100644 --- a/tests/passwords/drivers_test.php +++ b/tests/passwords/drivers_test.php @@ -156,25 +156,19 @@ class phpbb_passwords_helper_test extends \phpbb_test_case $this->assertSame($expected, $this->passwords_drivers['passwords.driver.md5_phpbb2']->check($password, $hash)); } - public function test_md5_phpbb2_unneeded_functions() + public function test_md5_phpbb2_hash() { $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_phpbb2']->hash('foobar')); - - $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_phpbb2']->get_settings_only('ae2fc75e20ee25d4520766788fbc96ae')); } public function test_convert_password_driver() { $this->assertSame(false, $this->passwords_drivers['passwords.driver.convert_password']->hash('foobar')); - - $this->assertSame(false, $this->passwords_drivers['passwords.driver.convert_password']->get_settings_only('ae2fc75e20ee25d4520766788fbc96ae')); } public function test_sha1_driver() { $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha1']->hash('foobar')); - - $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha1']->get_settings_only('ae2fc75e20ee25d4520766788fbc96ae')); } public function data_md5_mybb_check() @@ -197,8 +191,6 @@ class phpbb_passwords_helper_test extends \phpbb_test_case public function test_md5_mybb_driver() { $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_mybb']->hash('foobar')); - - $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_mybb']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); } public function data_md5_vb_check() @@ -223,8 +215,6 @@ class phpbb_passwords_helper_test extends \phpbb_test_case public function test_md5_vb_driver() { $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_vb']->hash('foobar')); - - $this->assertSame(false, $this->passwords_drivers['passwords.driver.md5_vb']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); } public function data_sha1_wcf1_check() @@ -247,8 +237,6 @@ class phpbb_passwords_helper_test extends \phpbb_test_case public function test_sha1_wcf1_driver() { $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha1_wcf1']->hash('foobar')); - - $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha1_wcf1']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); } public function data_bcrypt_wcf2_check() @@ -271,8 +259,6 @@ class phpbb_passwords_helper_test extends \phpbb_test_case public function test_bcrypt_wcf2_driver() { $this->assertSame(false, $this->passwords_drivers['passwords.driver.bcrypt_wcf2']->hash('foobar')); - - $this->assertSame(false, $this->passwords_drivers['passwords.driver.bcrypt_wcf2']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); } public function data_sha_xf1_check() @@ -296,8 +282,6 @@ class phpbb_passwords_helper_test extends \phpbb_test_case public function test_sha_xf1_driver() { $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha_xf1']->hash('foobar')); - - $this->assertSame(false, $this->passwords_drivers['passwords.driver.sha_xf1']->get_settings_only('6022de2cc0ecf59ff14b57c6205ee170')); } protected function utf8_to_cp1252($string) From fcaae9b0474035b9869f7e80c82242293edcfc27 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 30 May 2014 17:39:04 +0200 Subject: [PATCH 26/33] [ticket/12352] Check each newly added passwords driver in manager_test PHPBB3-12352 --- tests/passwords/manager_test.php | 41 +++++++++++++++++++------------- 1 file changed, 25 insertions(+), 16 deletions(-) diff --git a/tests/passwords/manager_test.php b/tests/passwords/manager_test.php index 714b9d8ebf..e46cf820f2 100644 --- a/tests/passwords/manager_test.php +++ b/tests/passwords/manager_test.php @@ -144,28 +144,37 @@ class phpbb_passwords_manager_test extends \phpbb_test_case public function check_hash_exceptions_data() { return array( - array('foobar', '3858f62230ac3c915f300c664312c63f', true), - array('foobar', '$CP$3858f62230ac3c915f300c664312c63f', true), - array('foobar', '$CP$3858f62230ac3c915f300c', false), - array('foobar', '$S$b57a939fa4f2c04413a4eea9734a0903647b7adb93181295', false), - array('foobar', '$2a\S$kkkkaakdkdiej39023903204j2k3490234jk234j02349', false), - array('foobar', '$H$kklk938d023k//k3023', false), - array('foobar', '$H$3PtYMgXb39lrIWkgoxYLWtRkZtY3AY/', false), - array('foobar', '$2a$kwiweorurlaeirw', false), - array('foobar', '6f9e2a1899e1f15708fd2e554103480eb53e8b57', false), - array('foobar', '6f9e2a1899e1f15708fd2e554103480eb53e8b57', false, array('login_name' => 'test')), - array('foobar', '$CP$6f9e2a1899e1f15708fd2e554103480eb53e8b57', true, array('login_name' => 'test')), - array('foobar', '6f9e2a1899', false, array('login_name' => 'test')), - array('fööbar', 'ae2fc75e20ee25d4520766788fbc96ae', false), - array('fööbar', '$CP$ae2fc75e20ee25d4520766788fbc96ae', false), - array(utf8_decode('fööbar'), '$CP$ae2fc75e20ee25d4520766788fbc96ae', true), + array('3858f62230ac3c915f300c664312c63f', true), + array('$CP$3858f62230ac3c915f300c664312c63f', true), // md5_phpbb2 + array('$CP$3858f62230ac3c915f300c', false), + array('$S$b57a939fa4f2c04413a4eea9734a0903647b7adb93181295', false), + array('$2a\S$kkkkaakdkdiej39023903204j2k3490234jk234j02349', false), + array('$H$kklk938d023k//k3023', false), + array('$H$3PtYMgXb39lrIWkgoxYLWtRkZtY3AY/', false), + array('$2a$kwiweorurlaeirw', false), + array('6f9e2a1899e1f15708fd2e554103480eb53e8b57', false), + array('6f9e2a1899e1f15708fd2e554103480eb53e8b57', false, 'foobar', array('login_name' => 'test')), + array('$CP$6f9e2a1899e1f15708fd2e554103480eb53e8b57', true, 'foobar', array('login_name' => 'test')), // sha1_smf + array('6f9e2a1899', false, 'foobar', array('login_name' => 'test')), + array('ae2fc75e20ee25d4520766788fbc96ae', false, 'fööbar'), + array('$CP$ae2fc75e20ee25d4520766788fbc96ae', false, 'fööbar'), + array('$CP$ae2fc75e20ee25d4520766788fbc96ae', true, utf8_decode('fööbar')), // md5_phpbb2 + array('b86ee7e24008bfd2890dcfab1ed31333', false, 'foobar', array('user_passwd_salt' => 'yeOtfFO6')), + array('$CP$b86ee7e24008bfd2890dcfab1ed31333', true, 'foobar', array('user_passwd_salt' => 'yeOtfFO6')), // md5_mybb + array('$CP$b452c54c44c588fc095d2d000935c470', true, 'foobar', array('user_passwd_salt' => '9^F')), // md5_vb + array('$CP$f23a8241bd115d270c703213e3ef7f52', true, 'foobar', array('user_passwd_salt' => 'iaU*U%`CBl;/e~>D%do2m@Xf/,KZB0')), // md5_vb + array('$CP$fc46b9d9386167ce365ea3b891bf5dc31ddcd3ff', true, 'foobar', array('user_passwd_salt' => '1a783e478d63f6422783a868db667aed3a857840')), // sha_wcf1 + array('$2a$08$p8h14U0jsEiVb1Luy.s8oOTXSQ0hVWUXpcNGBoCezeYNXrQyCKHfi', false), + array('$CP$$2a$08$p8h14U0jsEiVb1Luy.s8oOTXSQ0hVWUXpcNGBoCezeYNXrQyCKHfi', true), // bcrypt_wcf2 + array('$CP$7f65d2fa8a826d232f8134772252f8b1aaef8594b1edcabd9ab65e5b0f236ff0', true, 'foobar', array('user_passwd_salt' => '15b6c02cedbd727f563dcca607a89b085287b448966f19c0cc78cae263b1e38c')), // sha_xf1 + array('$CP$69962ae2079420573a3948cc4dedbabd35680051', true, 'foobar', array('user_passwd_salt' => '15b6c02cedbd727f563dcca607a89b085287b448966f19c0cc78cae263b1e38c')), // sha_xf1 ); } /** * @dataProvider check_hash_exceptions_data */ - public function test_check_hash_exceptions($password, $hash, $expected, $user_row = array()) + public function test_check_hash_exceptions($hash, $expected, $password = 'foobar', $user_row = array()) { $this->assertEquals($expected, $this->manager->check($password, $hash, $user_row)); } From dde92019759e63ec176f05da98742747113944b3 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 30 May 2014 17:46:22 +0200 Subject: [PATCH 27/33] [ticket/12352] Remove user_pass_convert column from database PHPBB3-12352 --- .../data/v310/passwords_convert_p2.php | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php diff --git a/phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php new file mode 100644 index 0000000000..3a7d3d2169 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php @@ -0,0 +1,40 @@ + array( + $this->table_prefix . 'users' => array( + 'user_pass_convert', + ), + ), + ); + } + + public function revert_schema() + { + return array( + 'add_columns' => array( + $this->table_prefix . 'users' => array( + 'user_pass_convert' => array('BOOL', 0, 'after' => 'user_passchg'), + ), + ), + ); + } +} From 0a1e21c17fe6181d3826ff88c86e4d040aff447f Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 30 May 2014 18:11:29 +0200 Subject: [PATCH 28/33] [ticket/12352] Update schema json file PHPBB3-12352 --- phpBB/install/schemas/schema.json | 4 ---- 1 file changed, 4 deletions(-) diff --git a/phpBB/install/schemas/schema.json b/phpBB/install/schemas/schema.json index f684fddc25..79f06693a6 100644 --- a/phpBB/install/schemas/schema.json +++ b/phpBB/install/schemas/schema.json @@ -3023,10 +3023,6 @@ "TIMESTAMP", 0 ], - "user_pass_convert": [ - "BOOL", - 0 - ], "user_email": [ "VCHAR_UNI:100", "" From 4698f6928e44a24a7a10ff8b4fed2c1a24cab338 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Fri, 30 May 2014 23:00:57 +0200 Subject: [PATCH 29/33] [ticket/12352] Remove usages of user_pass_convert column PHPBB3-12352 --- phpBB/includes/acp/acp_users.php | 1 - phpBB/includes/functions_user.php | 1 - phpBB/includes/ucp/ucp_activate.php | 1 - phpBB/phpbb/auth/provider/db.php | 5 ++--- phpBB/phpbb/auth/provider/oauth/oauth.php | 2 +- tests/auth/fixtures/user.xml | 3 --- tests/auth/fixtures/user_533.xml | 3 --- tests/auth/provider_apache_test.php | 1 - tests/auth/provider_db_test.php | 1 - 9 files changed, 3 insertions(+), 15 deletions(-) diff --git a/phpBB/includes/acp/acp_users.php b/phpBB/includes/acp/acp_users.php index b653ddd13b..c25d6d36d1 100644 --- a/phpBB/includes/acp/acp_users.php +++ b/phpBB/includes/acp/acp_users.php @@ -922,7 +922,6 @@ class acp_users $sql_ary += array( 'user_password' => $passwords_manager->hash($data['new_password']), 'user_passchg' => time(), - 'user_pass_convert' => 0, ); $user->reset_login_keys($user_id); diff --git a/phpBB/includes/functions_user.php b/phpBB/includes/functions_user.php index 3dcb32350e..293a0dea52 100644 --- a/phpBB/includes/functions_user.php +++ b/phpBB/includes/functions_user.php @@ -184,7 +184,6 @@ function user_add($user_row, $cp_data = false) 'username' => $user_row['username'], 'username_clean' => $username_clean, 'user_password' => (isset($user_row['user_password'])) ? $user_row['user_password'] : '', - 'user_pass_convert' => 0, 'user_email' => strtolower($user_row['user_email']), 'user_email_hash' => phpbb_email_hash($user_row['user_email']), 'group_id' => $user_row['group_id'], diff --git a/phpBB/includes/ucp/ucp_activate.php b/phpBB/includes/ucp/ucp_activate.php index 06326e57e6..53dec89aad 100644 --- a/phpBB/includes/ucp/ucp_activate.php +++ b/phpBB/includes/ucp/ucp_activate.php @@ -78,7 +78,6 @@ class ucp_activate 'user_actkey' => '', 'user_password' => $user_row['user_newpasswd'], 'user_newpasswd' => '', - 'user_pass_convert' => 0, 'user_login_attempts' => 0, ); diff --git a/phpBB/phpbb/auth/provider/db.php b/phpBB/phpbb/auth/provider/db.php index 7307a697ae..142a47247f 100644 --- a/phpBB/phpbb/auth/provider/db.php +++ b/phpBB/phpbb/auth/provider/db.php @@ -78,7 +78,7 @@ class db extends \phpbb\auth\provider\base $username_clean = utf8_clean_string($username); - $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts + $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type, user_login_attempts FROM ' . USERS_TABLE . " WHERE username_clean = '" . $this->db->sql_escape($username_clean) . "'"; $result = $this->db->sql_query($sql); @@ -180,8 +180,7 @@ class db extends \phpbb\auth\provider\base // Update the password in the users table to the new format $sql = 'UPDATE ' . USERS_TABLE . " - SET user_password = '" . $this->db->sql_escape($hash) . "', - user_pass_convert = 0 + SET user_password = '" . $this->db->sql_escape($hash) . "' WHERE user_id = {$row['user_id']}"; $this->db->sql_query($sql); diff --git a/phpBB/phpbb/auth/provider/oauth/oauth.php b/phpBB/phpbb/auth/provider/oauth/oauth.php index 2230ce15d1..07430bb42a 100644 --- a/phpBB/phpbb/auth/provider/oauth/oauth.php +++ b/phpBB/phpbb/auth/provider/oauth/oauth.php @@ -215,7 +215,7 @@ class oauth extends \phpbb\auth\provider\base } // Retrieve the user's account - $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts + $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type, user_login_attempts FROM ' . $this->users_table . ' WHERE user_id = ' . (int) $row['user_id']; $result = $this->db->sql_query($sql); diff --git a/tests/auth/fixtures/user.xml b/tests/auth/fixtures/user.xml index 77f707bab3..1e0eb6ee49 100644 --- a/tests/auth/fixtures/user.xml +++ b/tests/auth/fixtures/user.xml @@ -6,7 +6,6 @@ username_clean user_password user_passchg - user_pass_convert user_email user_type user_login_attempts @@ -18,7 +17,6 @@ foobar $2y$10$4RmpyVu2y8Yf/lP3.yQBquKvE54TCUuEDEBJYY6FDDFN3LcbCGz9i 0 - 0 example@example.com 0 0 @@ -31,7 +29,6 @@ foobar2 $H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/ 0 - 0 example@example.com 0 0 diff --git a/tests/auth/fixtures/user_533.xml b/tests/auth/fixtures/user_533.xml index b64f376e5b..9731e4db4a 100644 --- a/tests/auth/fixtures/user_533.xml +++ b/tests/auth/fixtures/user_533.xml @@ -6,7 +6,6 @@ username_clean user_password user_passchg - user_pass_convert user_email user_type user_login_attempts @@ -18,7 +17,6 @@ foobar $2a$10$e01Syh9PbJjUkio66eFuUu4FhCE2nRgG7QPc1JACalsPXcIuG2bbi 0 - 0 example@example.com 0 0 @@ -31,7 +29,6 @@ foobar2 $H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/ 0 - 0 example@example.com 0 0 diff --git a/tests/auth/provider_apache_test.php b/tests/auth/provider_apache_test.php index e17040902f..2decf0f18c 100644 --- a/tests/auth/provider_apache_test.php +++ b/tests/auth/provider_apache_test.php @@ -148,7 +148,6 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case 'username_clean' => 'foobar', 'user_password' => $this->password_hash, 'user_passchg' => '0', - 'user_pass_convert' => '0', 'user_email' => 'example@example.com', 'user_email_hash' => '0', 'user_birthday' => '', diff --git a/tests/auth/provider_db_test.php b/tests/auth/provider_db_test.php index f071709a4b..23324f87f2 100644 --- a/tests/auth/provider_db_test.php +++ b/tests/auth/provider_db_test.php @@ -70,7 +70,6 @@ class phpbb_auth_provider_db_test extends phpbb_database_test_case 'username' => 'foobar', 'user_password' => $password_hash, 'user_passchg' => '0', - 'user_pass_convert' => '0', 'user_email' => 'example@example.com', 'user_type' => '0', 'user_login_attempts' => '0', From 306beab4cba155a933391c40c75f5dd9c57fd69e Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 31 May 2014 14:56:03 +0200 Subject: [PATCH 30/33] [ticket/12352] Add checks for existing user_pass_convert to migrations PHPBB3-12352 --- phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php | 6 ++++++ phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php | 5 +++++ 2 files changed, 11 insertions(+) diff --git a/phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php index 24af20cf5c..a0c7c7eb75 100644 --- a/phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php +++ b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php @@ -25,6 +25,12 @@ class passwords_convert_p1 extends \phpbb\db\migration\migration public function update_passwords($start) { + // Nothing to do if user_pass_convert column doesn't exist + if (!$this->db_tools->sql_column_exists($this->table_prefix . 'users', 'user_pass_convert')) + { + return; + } + $start = (int) $start; $limit = 1000; $converted_users = 0; diff --git a/phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php index 3a7d3d2169..e7d5e4e157 100644 --- a/phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php +++ b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php @@ -11,6 +11,11 @@ namespace phpbb\db\migration\data\v310; class passwords_convert_p2 extends \phpbb\db\migration\migration { + public function effectively_installed() + { + return !$this->db_tools->sql_column_exists($this->table_prefix . 'users', 'user_pass_convert'); + } + static public function depends_on() { return array('\phpbb\db\migration\data\v310\passwords_convert_p1'); From 6f5f0d6d8d5d3afcabccaa9da7c64108af5d4ab7 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 31 May 2014 22:43:07 +0200 Subject: [PATCH 31/33] [ticket/12352] Use custom provider collection for auth providers Using this custom provider collection, we can properly check whether the configured auth provider does exist. The method get_provider() has been added for returning the default auth provider or the standard db auth provider if the specified one does not exist. Additionally, the method get_provider() will throw an RuntimeException if none of the above exist. PHPBB3-12352 --- phpBB/config/auth_providers.yml | 3 +- phpBB/includes/functions.php | 10 +--- phpBB/phpbb/auth/provider_collection.php | 63 ++++++++++++++++++++++++ phpBB/phpbb/session.php | 25 ++-------- tests/session/testable_factory.php | 4 +- 5 files changed, 73 insertions(+), 32 deletions(-) create mode 100644 phpBB/phpbb/auth/provider_collection.php diff --git a/phpBB/config/auth_providers.yml b/phpBB/config/auth_providers.yml index dac8b9d252..d2f22ec477 100644 --- a/phpBB/config/auth_providers.yml +++ b/phpBB/config/auth_providers.yml @@ -1,8 +1,9 @@ services: auth.provider_collection: - class: phpbb\di\service_collection + class: phpbb\auth\provider_collection arguments: - @service_container + - @config tags: - { name: service_collection, tag: auth.provider } auth.provider.db: diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 31a6246d34..0d0bc4e6f6 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -2855,15 +2855,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa } $provider_collection = $phpbb_container->get('auth.provider_collection'); - $auth_method = $config['auth_method']; - - // Revert to db auth provider if selected method does not exist - if (!isset($provider_collection['auth.provider.' . $config['auth_method']])) - { - $auth_method = 'db'; - } - - $auth_provider = $provider_collection['auth.provider.' . $auth_method]; + $auth_provider = $provider_collection->get_provider(); $auth_provider_data = $auth_provider->get_login_data(); if ($auth_provider_data) diff --git a/phpBB/phpbb/auth/provider_collection.php b/phpBB/phpbb/auth/provider_collection.php new file mode 100644 index 0000000000..bef1dd2c50 --- /dev/null +++ b/phpBB/phpbb/auth/provider_collection.php @@ -0,0 +1,63 @@ +container = $container; + $this->config = $config; + } + + /** + * Get an auth provider. + * + * @return object Default auth provider selected in config if it + * does exist. Otherwise the standard db auth + * provider. + * @throws \RuntimeException If neither the auth provider that + * is specified by the phpBB config nor the db + * auth provider exist. The db auth provider + * should always exist in a phpBB installation. + */ + public function get_provider() + { + if ($this->offsetExists('auth.provider.' . basename(trim($this->config['auth_method'])))) + { + return $this->offsetGet('auth.provider.' . basename(trim($this->config['auth_method']))); + } + // Revert to db auth provider if selected method does not exist + elseif ($this->offsetExists('auth.provider.db')) + { + return $this->offsetGet('auth.provider.db'); + } + else + { + throw new \RuntimeException(sprintf('The authentication provider for the authentication method "%1$s" does not exist. It was not possible to recover from this by reverting to the database authentication provider.', $this->config['auth_method'])); + } + } +} diff --git a/phpBB/phpbb/session.php b/phpBB/phpbb/session.php index c663977882..ad6759a3e2 100644 --- a/phpBB/phpbb/session.php +++ b/phpBB/phpbb/session.php @@ -408,16 +408,8 @@ class session $session_expired = false; // Check whether the session is still valid if we have one - $method = basename(trim($config['auth_method'])); - $provider_collection = $phpbb_container->get('auth.provider_collection'); - - // Revert to db auth provider if selected method does not exist - if (!isset($provider_collection['auth.provider.' . $method])) - { - $method = 'db'; - } - $provider = $provider_collection['auth.provider.' . $method]; + $provider = $provider_collection->get_provider(); if (!($provider instanceof \phpbb\auth\provider\provider_interface)) { @@ -584,16 +576,8 @@ class session } } - $method = basename(trim($config['auth_method'])); - $provider_collection = $phpbb_container->get('auth.provider_collection'); - - // Revert to db auth provider if selected method does not exist - if (!isset($provider_collection['auth.provider.' . $method])) - { - $method = 'db'; - } - $provider = $provider_collection['auth.provider.' . $method]; + $provider = $provider_collection->get_provider(); $this->data = $provider->autologin(); if (sizeof($this->data)) @@ -912,9 +896,8 @@ class session $db->sql_query($sql); // Allow connecting logout with external auth method logout - $method = basename(trim($config['auth_method'])); - - $provider = $phpbb_container->get('auth.provider.' . $method); + $provider_collection = $phpbb_container->get('auth.provider_collection'); + $provider = $provider_collection->get_provider(); $provider->logout($this->data, $new_session); if ($this->data['user_id'] != ANONYMOUS) diff --git a/tests/session/testable_factory.php b/tests/session/testable_factory.php index 4bd7fa1366..3e25286480 100644 --- a/tests/session/testable_factory.php +++ b/tests/session/testable_factory.php @@ -96,9 +96,11 @@ class phpbb_session_testable_factory 'auth.provider.db', new phpbb_mock_auth_provider() ); + $provider_collection = new \phpbb\auth\provider_collection($phpbb_container, $config); + $provider_collection->add('auth.provider.db'); $phpbb_container->set( 'auth.provider_collection', - array('auth.provider.db' => $phpbb_container->get('auth.provider.db')) + $provider_collection ); $session = new phpbb_mock_session_testable; From 94b2b64ca199f3db66818c3830c96ea9ff7eeff9 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sun, 1 Jun 2014 21:36:53 +0200 Subject: [PATCH 32/33] [ticket/12352] Update file headers to fit new format PHPBB3-12352 --- phpBB/phpbb/auth/provider_collection.php | 12 +++++++----- .../db/migration/data/v310/passwords_convert_p1.php | 10 +++++++--- .../db/migration/data/v310/passwords_convert_p2.php | 10 +++++++--- phpBB/phpbb/passwords/driver/bcrypt_wcf2.php | 13 +++++++------ phpBB/phpbb/passwords/driver/convert_password.php | 13 +++++++------ phpBB/phpbb/passwords/driver/md5_mybb.php | 13 +++++++------ phpBB/phpbb/passwords/driver/md5_phpbb2.php | 13 +++++++------ phpBB/phpbb/passwords/driver/md5_vb.php | 13 +++++++------ phpBB/phpbb/passwords/driver/sha1.php | 13 +++++++------ phpBB/phpbb/passwords/driver/sha1_smf.php | 13 +++++++------ phpBB/phpbb/passwords/driver/sha1_wcf1.php | 13 +++++++------ phpBB/phpbb/passwords/driver/sha_xf1.php | 13 +++++++------ 12 files changed, 84 insertions(+), 65 deletions(-) diff --git a/phpBB/phpbb/auth/provider_collection.php b/phpBB/phpbb/auth/provider_collection.php index bef1dd2c50..27a3f24564 100644 --- a/phpBB/phpbb/auth/provider_collection.php +++ b/phpBB/phpbb/auth/provider_collection.php @@ -1,9 +1,13 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ @@ -13,8 +17,6 @@ use Symfony\Component\DependencyInjection\ContainerInterface; /** * Collection of auth providers to be configured at container compile time. -* -* @package phpBB3 */ class provider_collection extends \phpbb\di\service_collection { diff --git a/phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php index a0c7c7eb75..004d94d8bd 100644 --- a/phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php +++ b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p1.php @@ -1,9 +1,13 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ diff --git a/phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php index e7d5e4e157..26a99184a6 100644 --- a/phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php +++ b/phpBB/phpbb/db/migration/data/v310/passwords_convert_p2.php @@ -1,9 +1,13 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ diff --git a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php index ecfef9de18..fe6e36406e 100644 --- a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php +++ b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php @@ -1,17 +1,18 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ namespace phpbb\passwords\driver; -/** -* @package passwords -*/ class bcrypt_wcf2 extends base { const PREFIX = '$wcf2$'; diff --git a/phpBB/phpbb/passwords/driver/convert_password.php b/phpBB/phpbb/passwords/driver/convert_password.php index 97c7bcb8ab..45d84f45c0 100644 --- a/phpBB/phpbb/passwords/driver/convert_password.php +++ b/phpBB/phpbb/passwords/driver/convert_password.php @@ -1,17 +1,18 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ namespace phpbb\passwords\driver; -/** -* @package passwords -*/ class convert_password extends base { const PREFIX = '$CP$'; diff --git a/phpBB/phpbb/passwords/driver/md5_mybb.php b/phpBB/phpbb/passwords/driver/md5_mybb.php index d17f3ea035..dceffe8e68 100644 --- a/phpBB/phpbb/passwords/driver/md5_mybb.php +++ b/phpBB/phpbb/passwords/driver/md5_mybb.php @@ -1,17 +1,18 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ namespace phpbb\passwords\driver; -/** -* @package passwords -*/ class md5_mybb extends base { const PREFIX = '$md5_mybb$'; diff --git a/phpBB/phpbb/passwords/driver/md5_phpbb2.php b/phpBB/phpbb/passwords/driver/md5_phpbb2.php index 093e3b4c65..de1993e8a1 100644 --- a/phpBB/phpbb/passwords/driver/md5_phpbb2.php +++ b/phpBB/phpbb/passwords/driver/md5_phpbb2.php @@ -1,17 +1,18 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ namespace phpbb\passwords\driver; -/** -* @package passwords -*/ class md5_phpbb2 extends base { const PREFIX = '$md5_phpbb2$'; diff --git a/phpBB/phpbb/passwords/driver/md5_vb.php b/phpBB/phpbb/passwords/driver/md5_vb.php index 00b691dd63..e15680222d 100644 --- a/phpBB/phpbb/passwords/driver/md5_vb.php +++ b/phpBB/phpbb/passwords/driver/md5_vb.php @@ -1,17 +1,18 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ namespace phpbb\passwords\driver; -/** -* @package passwords -*/ class md5_vb extends base { const PREFIX = '$md5_vb$'; diff --git a/phpBB/phpbb/passwords/driver/sha1.php b/phpBB/phpbb/passwords/driver/sha1.php index 35cd64769b..35df1ebe96 100644 --- a/phpBB/phpbb/passwords/driver/sha1.php +++ b/phpBB/phpbb/passwords/driver/sha1.php @@ -1,17 +1,18 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ namespace phpbb\passwords\driver; -/** -* @package passwords -*/ class sha1 extends base { const PREFIX = '$sha1$'; diff --git a/phpBB/phpbb/passwords/driver/sha1_smf.php b/phpBB/phpbb/passwords/driver/sha1_smf.php index 92181ccef2..6cc0841f4d 100644 --- a/phpBB/phpbb/passwords/driver/sha1_smf.php +++ b/phpBB/phpbb/passwords/driver/sha1_smf.php @@ -1,17 +1,18 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ namespace phpbb\passwords\driver; -/** -* @package passwords -*/ class sha1_smf extends base { const PREFIX = '$smf$'; diff --git a/phpBB/phpbb/passwords/driver/sha1_wcf1.php b/phpBB/phpbb/passwords/driver/sha1_wcf1.php index 5241dc345f..77168e70eb 100644 --- a/phpBB/phpbb/passwords/driver/sha1_wcf1.php +++ b/phpBB/phpbb/passwords/driver/sha1_wcf1.php @@ -1,17 +1,18 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ namespace phpbb\passwords\driver; -/** -* @package passwords -*/ class sha1_wcf1 extends base { const PREFIX = '$wcf1$'; diff --git a/phpBB/phpbb/passwords/driver/sha_xf1.php b/phpBB/phpbb/passwords/driver/sha_xf1.php index 4b5e4a0b26..08b8cecaf3 100644 --- a/phpBB/phpbb/passwords/driver/sha_xf1.php +++ b/phpBB/phpbb/passwords/driver/sha_xf1.php @@ -1,17 +1,18 @@ +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. * */ namespace phpbb\passwords\driver; -/** -* @package passwords -*/ class sha_xf1 extends base { const PREFIX = '$xf1$'; From ac311e1b39f891ba3c137f6203981c491639bec3 Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Mon, 2 Jun 2014 10:14:26 +0200 Subject: [PATCH 33/33] [ticket/12352] Do not check hashes that don't have the necessary length This should significantly reduce the time spent on checking hashes of passwords that should be converted. PHPBB3-12352 --- phpBB/phpbb/passwords/driver/bcrypt_wcf2.php | 2 +- phpBB/phpbb/passwords/driver/md5_mybb.php | 2 +- phpBB/phpbb/passwords/driver/md5_vb.php | 2 +- phpBB/phpbb/passwords/driver/sha1.php | 2 +- phpBB/phpbb/passwords/driver/sha1_smf.php | 2 +- phpBB/phpbb/passwords/driver/sha1_wcf1.php | 2 +- phpBB/phpbb/passwords/driver/sha_xf1.php | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php index fe6e36406e..f706c7af69 100644 --- a/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php +++ b/phpBB/phpbb/passwords/driver/bcrypt_wcf2.php @@ -65,7 +65,7 @@ class bcrypt_wcf2 extends base */ public function check($password, $hash, $user_row = array()) { - if (empty($hash)) + if (empty($hash) || strlen($hash) != 60) { return false; } diff --git a/phpBB/phpbb/passwords/driver/md5_mybb.php b/phpBB/phpbb/passwords/driver/md5_mybb.php index dceffe8e68..0745bceb5e 100644 --- a/phpBB/phpbb/passwords/driver/md5_mybb.php +++ b/phpBB/phpbb/passwords/driver/md5_mybb.php @@ -47,7 +47,7 @@ class md5_mybb extends base */ public function check($password, $hash, $user_row = array()) { - if (empty($hash) || !isset($user_row['user_passwd_salt'])) + if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt'])) { return false; } diff --git a/phpBB/phpbb/passwords/driver/md5_vb.php b/phpBB/phpbb/passwords/driver/md5_vb.php index e15680222d..440b9e39e9 100644 --- a/phpBB/phpbb/passwords/driver/md5_vb.php +++ b/phpBB/phpbb/passwords/driver/md5_vb.php @@ -47,7 +47,7 @@ class md5_vb extends base */ public function check($password, $hash, $user_row = array()) { - if (empty($hash) || !isset($user_row['user_passwd_salt'])) + if (empty($hash) || strlen($hash) != 32 || !isset($user_row['user_passwd_salt'])) { return false; } diff --git a/phpBB/phpbb/passwords/driver/sha1.php b/phpBB/phpbb/passwords/driver/sha1.php index 35df1ebe96..5d6c93f6a8 100644 --- a/phpBB/phpbb/passwords/driver/sha1.php +++ b/phpBB/phpbb/passwords/driver/sha1.php @@ -47,6 +47,6 @@ class sha1 extends base */ public function check($password, $hash, $user_row = array()) { - return $hash === sha1($password); + return (strlen($hash) == 40) ? $hash === sha1($password) : false; } } diff --git a/phpBB/phpbb/passwords/driver/sha1_smf.php b/phpBB/phpbb/passwords/driver/sha1_smf.php index 6cc0841f4d..3e3322d77f 100644 --- a/phpBB/phpbb/passwords/driver/sha1_smf.php +++ b/phpBB/phpbb/passwords/driver/sha1_smf.php @@ -46,6 +46,6 @@ class sha1_smf extends base */ public function check($password, $hash, $user_row = array()) { - return $hash === $this->hash($password, $user_row); + return (strlen($hash) == 40) ? $hash === $this->hash($password, $user_row) : false; } } diff --git a/phpBB/phpbb/passwords/driver/sha1_wcf1.php b/phpBB/phpbb/passwords/driver/sha1_wcf1.php index 77168e70eb..04a69705e9 100644 --- a/phpBB/phpbb/passwords/driver/sha1_wcf1.php +++ b/phpBB/phpbb/passwords/driver/sha1_wcf1.php @@ -47,7 +47,7 @@ class sha1_wcf1 extends base */ public function check($password, $hash, $user_row = array()) { - if (empty($hash) || !isset($user_row['user_passwd_salt'])) + if (empty($hash) || strlen($hash) != 40 || !isset($user_row['user_passwd_salt'])) { return false; } diff --git a/phpBB/phpbb/passwords/driver/sha_xf1.php b/phpBB/phpbb/passwords/driver/sha_xf1.php index 08b8cecaf3..7ae0b90f51 100644 --- a/phpBB/phpbb/passwords/driver/sha_xf1.php +++ b/phpBB/phpbb/passwords/driver/sha_xf1.php @@ -47,7 +47,7 @@ class sha_xf1 extends base */ public function check($password, $hash, $user_row = array()) { - if (empty($hash) || !isset($user_row['user_passwd_salt'])) + if (empty($hash) || (strlen($hash) != 40 && strlen($hash) != 64) || !isset($user_row['user_passwd_salt'])) { return false; }