As proposed by marshalrusty: re-hash plain MD5s left in the database

git-svn-id: file:///svn/phpbb/branches/phpBB-3_0_0@9312 89ea8834-ac86-4346-8a33-228a782c2dd0

phpBB/includes/auth/auth_db.php

@@ -141,7 +141,9 @@ function login_db(&$username, &$password)
 			}
 
 			// cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding
-			if (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])
+			// plain md5 support left in for conversions from other systems.
+			if ((strlen($row['user_password']) == 34 && (phpbb_check_hash(md5($password_old_format), $row['user_password']) || phpbb_check_hash(md5(utf8_to_cp1252($password_old_format)), $row['user_password'])))
+				|| (strlen($row['user_password']) == 32  && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password'])))
 			{
 				$hash = phpbb_hash($password_new_format);
 
@@ -155,7 +157,7 @@ function login_db(&$username, &$password)
 				$row['user_pass_convert'] = 0;
 				$row['user_password'] = $hash;
 			}
-			else
+			else 
 			{
 				// Although we weren't able to convert this password we have to
 				// increase login attempt count to make sure this cannot be exploited

phpBB/install/convertors/convert_phpbb20.php

@@ -865,7 +865,7 @@ if (!$get_info)
 				array('user_regdate',			'users.user_regdate',				''),
 				array('username',				'users.username',					'phpbb_set_default_encoding'), // recode to utf8 with default lang
 				array('username_clean',			'users.username',					array('function1' => 'phpbb_set_default_encoding', 'function2' => 'utf8_clean_string')),
-				array('user_password',			'users.user_password',				''),
+				array('user_password',			'users.user_password',				'phpbb_hash'),
 				array('user_pass_convert',		1,									''),
 				array('user_posts',				'users.user_posts',					'intval'),
 				array('user_email',				'users.user_email',					'strtolower'),

phpBB/install/database_update.php

@@ -8,7 +8,7 @@
 *
 */
 
-$updates_to_version = '3.0.4';
+$updates_to_version = '3.0.5-dev';
 
 // Return if we "just include it" to find out for which version the database update is responsible for
 if (defined('IN_PHPBB') && defined('IN_INSTALL'))
@@ -590,6 +590,9 @@ $database_update_info = array(
 
 	// Changes from 3.0.4-RC1 to 3.0.4
 	'3.0.4-RC1'		=> array(),
+	
+	// Changes from 3.0.4 to 3.0.5-dev
+	'3.0.4'			=> array(),
 );
 
 // Determine mapping database type
@@ -2028,17 +2031,38 @@ function change_database_data(&$no_updates, $version)
 
 				_sql('UPDATE ' . PROFILE_FIELDS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . ' WHERE field_id = ' . $row['field_id'], $errored, $error_ary);
 			}
-
 			$no_updates = false;
+		
 		break;
 
 		// Changes from 3.0.4-RC1 to 3.0.4
 		case '3.0.4-RC1':
 		break;
 		
-		// Changes from 3.0.4 to 3.0.4dev
+		// Changes from 3.0.4 to 3.0.5-dev
 		case '3.0.4':
+
 			set_config('captcha_gd_wave', 0);
+			
+			$sql = 'SELECT user_id, user_password 
+					FROM ' . USERS_TABLE . ' 
+					WHERE user_pass_convert = 1';
+			$result = _sql($sql, $errored, $error_ary);
+
+			while ($row = $db->sql_fetchrow($result))
+			{
+				if (strlen($row['user_password']) == 32)
+				{
+					$sql_ary = array(
+						'user_password'	=> phpbb_hash($row['user_password']),
+					);
+
+					_sql('UPDATE ' . USERS_TABLE . ' SET ' . $db->sql_build_array('UPDATE', $sql_ary) . ' WHERE user_id = ' . $row['user_id'], $errored, $error_ary);
+				}
+			}
+
+			$no_updates = false;
+
 		break;
 	}
 }