Bug #41828: saltedpasswords destroys the password - TYPO3 Core - TYPO3 Forge

Actions

Copy link

Bug #41828

closed

saltedpasswords destroys the password

Added by Xavier Perseguers over 11 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Must have

Assignee:

Xavier Perseguers

Category:

Authentication

Target version:

4.6.13

Start date:

2012-10-10

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

4.6

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

When a record is using a plain MD5 password, EXT:saltedpasswords will end by destroying the password after 2 edits of the records.

Problem is as follows:

1st time the record is being edited (without any change to the password field), the password field is evaluated by tx_saltedpasswords_eval with following code:

if ($isEnabled) {
    $set = FALSE;
    $isMD5 = preg_match('/[0-9abcdef]{32,32}/', $value);
    $isSaltedHash = t3lib_div::inList('$1$,$2$,$2a,$P$', substr($value, 0, 3));

    $this->objInstanceSaltedPW = tx_saltedpasswords_salts_factory::getSaltingInstance(NULL, $this->mode);

    if ($isMD5) {
        $set = TRUE;
        $value = 'M' . $this->objInstanceSaltedPW->getHashedPassword($value);
    } elseif (!$isSaltedHash) {
        $set = TRUE;
        $value = $this->objInstanceSaltedPW->getHashedPassword($value);
    }
}

The password (plain MD5) is found to be md5 ($isMD5 = TRUE) and is salt-hashed and prefixed with "M".

Next time the record is edited, the password is already salted but prefixed with "M" and as thus $isMD5 = FALSE and $isSaltedHash = FALSE, which leads to salt-hash the already-salted hash a second time which in turn... destroys the password altogether.