Bug #22328
closed
wrong md5-hash of md5.js, frontend-, backend-login
100%
Description
The md5-calculation produces wrong, it belongs to the used characters.
Following characters produces this failure:
äöüÄÖܧáÁ and many more.
These characters are not forbidden.
The md5.js is also used to send the backend-password.
Due the failure of md5.js it could be easier to descend the password-algorythm.
Following characters are availible:
01234567890123456789012345678901!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ [\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
All other characters produces a wrong hash.
As fe-users want to change their password, I've noticed this problem in affinity with Issue #0012206.
It's not possible to replace the md5.js simple.
All hashed passwords are written in the wrong md5-code, that means, all users have to retype their password on login or have to receive automatically a new password...
See:
http://www.typo3.net/index.php?id=13&action=list_post&tid=70355&page=2%29
language: german, the problem occurs on usernames with specialchars/umlauts.
Attached is the old md5.js and a new one with no failure.
(issue imported from #M13917)
Files
Updated by Marcus Krause over 14 years ago
set view state to public as it is a known (& unfortunately still unresolved) problem
Updated by Sebastian over 14 years ago
I think it's related to #0005865:
- if the md5.js always returns the hash, the hash should be always the same.
It seems, in #0005865 the md5-hash was created by md5.js and (!) the serverside md5.
The interaction between md5.js and serverside md5 isn't typically typo3 and isn't a matter of this issue, because the password-hash should be only calculated on clientside.
Updated by Chris topher over 14 years ago
Here is another md5 script: http://www.webtoolkit.info/javascript-md5.html
It should work.
Updated by Stefan Neufeind about 13 years ago
- % Done changed from 0 to 50
We tried the one from webtoolkit.info. Works like a charme.
Do we need to worry about licensing in this case? (I guess so.)
Or could we simply exchange it by a commit?
The current MD5-implementation is done "fundamentally different", so it's not like adding one more line to the existing one or so. (The one from webtoolkit.info is even quite a bit shorter :-))
Updated by Mr. Hudson about 13 years ago
Patch set 1 of change I8f71673f60f22e39862ca2a447f496159b8079bb has been pushed to the review server.
It is available at http://review.typo3.org/5665
Updated by Mr. Hudson about 13 years ago
Patch set 2 of change I8f71673f60f22e39862ca2a447f496159b8079bb has been pushed to the review server.
It is available at http://review.typo3.org/5665
Updated by Xavier Perseguers about 13 years ago
- Status changed from New to Under Review
- Target version changed from 4.6.0 to 4.6.0-RC1
Updated by Mr. Hudson about 13 years ago
Patch set 1 of change I3b75a14403791bb9aa2cb26972ac95fa74d74db2 has been pushed to the review server.
It is available at http://review.typo3.org/5691
Updated by Mr. Hudson about 13 years ago
Patch set 1 of change Ib7b983340f2fd82698fd48967c0be61a8fc822b8 has been pushed to the review server.
It is available at http://review.typo3.org/5692
Updated by Stefan Neufeind about 13 years ago
- Status changed from Under Review to Resolved
- % Done changed from 50 to 100
Applied in changeset 3f8d0b065e87c08ba96677b13a55c5bd07f73c97.
Updated by Ernesto Baschny almost 13 years ago
- Target version changed from 4.6.0-RC1 to 4.5.11
Updated by Riccardo De Contardi about 7 years ago
- Status changed from Resolved to Closed