From f8bcf99c7fe0b20f447e502cf2cb5b3d0648f68a Mon Sep 17 00:00:00 2001 From: Marc Alexander Date: Sat, 15 Jun 2013 12:11:51 +0200 Subject: [PATCH] [feature/passwords] Do not support 8-bit characters with $2a$ bcrypt 8-bit unicode characters might reduce the security of the password hash when using the $2a$ bcrypt prefix. Those types of characters are usually not used in passwords but we should prevent this possible issue anyway. PHPBB3-11610 --- phpBB/includes/crypto/manager.php | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/phpBB/includes/crypto/manager.php b/phpBB/includes/crypto/manager.php index 1f6ba78666..93b99743d1 100644 --- a/phpBB/includes/crypto/manager.php +++ b/phpBB/includes/crypto/manager.php @@ -154,20 +154,26 @@ class phpbb_crypto_manager * @param string $password Password that should be hashed * @param string $type Hash type. Will default to standard hash type if * none is supplied - * @return string Password hash of supplied password + * @return string|bool Password hash of supplied password or false if + * if something went wrong during hashing * * @throws RunTimeException If hash type is not supported */ public function hash_password($password, $type = '') { - if ($type === '') + $type = ($type === '') ? $this->type : $type; + + $hashing_algorithm = $this->container->get($type); + // Do not support 8-bit characters with $2a$ bcrypt + if ($type === 'crypto.driver.bcrypt' || ($type === 'crypto.driver.bcrypt_2y' && !$hashing_algorithm->is_supported())) { - return $this->container->get($this->type)->hash($password); - } - else - { - return $this->container->get($type)->hash($password); + if (ord($password[strlen($password)-1]) & 128) + { + return false; + } } + + return $this->container->get($type)->hash($password); } public function check_hash($password, $hash)