[feature/passwords] Do not support 8-bit characters with $2a$ bcrypt

8-bit unicode characters might reduce the security of the password hash when using the $2a$ bcrypt prefix. Those types of characters are usually not used in passwords but we should prevent this possible issue anyway. PHPBB3-11610
2025-06-27 21:58:52 +00:00 · 2013-06-15 12:11:51 +02:00 · 2013-06-15 12:11:51 +02:00 · f8bcf99c7f
commit f8bcf99c7f
parent 8795fe9c77
1 changed files with 13 additions and 7 deletions
--- a/phpBB/includes/crypto/manager.php
+++ b/phpBB/includes/crypto/manager.php
@ -154,20 +154,26 @@ class phpbb_crypto_manager
 	* @param string $password Password that should be hashed
 	* @param string $type Hash type. Will default to standard hash type if
 	*			none is supplied
-	* @return string Password hash of supplied password
+	* @return string|bool Password hash of supplied password or false if
+	*			if something went wrong during hashing
 	*
 	* @throws RunTimeException If hash type is not supported
 	*/
 	public function hash_password($password, $type = '')
 	{
-		if ($type === '')
+		$type = ($type === '') ? $this->type : $type;
+
+		$hashing_algorithm = $this->container->get($type);
+		// Do not support 8-bit characters with $2a$ bcrypt
+		if ($type === 'crypto.driver.bcrypt' || ($type === 'crypto.driver.bcrypt_2y' && !$hashing_algorithm->is_supported()))
 		{
-			return $this->container->get($this->type)->hash($password);
-		}
-		else
-		{
-			return $this->container->get($type)->hash($password);
+			if (ord($password[strlen($password)-1]) & 128)
+			{
+				return false;
+			}
 		}
+
+		return $this->container->get($type)->hash($password);
 	}

 	public function check_hash($password, $hash)