Bug #41828

saltedpasswords destroys the password

Added by Xavier Perseguers over 8 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Must have
Category:
Authentication
Target version:
Start date:
2012-10-10
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.6
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

When a record is using a plain MD5 password, EXT:saltedpasswords will end by destroying the password after 2 edits of the records.

Problem is as follows:

1st time the record is being edited (without any change to the password field), the password field is evaluated by tx_saltedpasswords_eval with following code:

if ($isEnabled) {
    $set = FALSE;
    $isMD5 = preg_match('/[0-9abcdef]{32,32}/', $value);
    $isSaltedHash = t3lib_div::inList('$1$,$2$,$2a,$P$', substr($value, 0, 3));

    $this->objInstanceSaltedPW = tx_saltedpasswords_salts_factory::getSaltingInstance(NULL, $this->mode);

    if ($isMD5) {
        $set = TRUE;
        $value = 'M' . $this->objInstanceSaltedPW->getHashedPassword($value);
    } elseif (!$isSaltedHash) {
        $set = TRUE;
        $value = $this->objInstanceSaltedPW->getHashedPassword($value);
    }
}

The password (plain MD5) is found to be md5 ($isMD5 = TRUE) and is salt-hashed and prefixed with "M".

Next time the record is edited, the password is already salted but prefixed with "M" and as thus $isMD5 = FALSE and $isSaltedHash = FALSE, which leads to salt-hash the already-salted hash a second time which in turn... destroys the password altogether.

#1

Updated by Xavier Perseguers over 8 years ago

Problem only happens in tceforms, not in user->settings.

#2

Updated by Gerrit Code Review over 8 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/15478

#3

Updated by Gerrit Code Review over 8 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/15478

#4

Updated by Gerrit Code Review over 8 years ago

Patch set 1 for branch TYPO3_4-6 has been pushed to the review server.
It is available at http://review.typo3.org/15672

#5

Updated by Gerrit Code Review over 8 years ago

Patch set 1 for branch TYPO3_4-7 has been pushed to the review server.
It is available at http://review.typo3.org/15673

#6

Updated by Gerrit Code Review over 8 years ago

Patch set 1 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/15674

#7

Updated by Xavier Perseguers over 8 years ago

  • Status changed from Under Review to Resolved
  • Target version set to 4.6.13
  • % Done changed from 0 to 100
#8

Updated by Riccardo De Contardi over 3 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF