Project

General

Profile

Actions

Bug #41828

closed

saltedpasswords destroys the password

Added by Xavier Perseguers about 12 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Must have
Category:
Authentication
Target version:
Start date:
2012-10-10
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.6
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

When a record is using a plain MD5 password, EXT:saltedpasswords will end by destroying the password after 2 edits of the records.

Problem is as follows:

1st time the record is being edited (without any change to the password field), the password field is evaluated by tx_saltedpasswords_eval with following code:

if ($isEnabled) {
    $set = FALSE;
    $isMD5 = preg_match('/[0-9abcdef]{32,32}/', $value);
    $isSaltedHash = t3lib_div::inList('$1$,$2$,$2a,$P$', substr($value, 0, 3));

    $this->objInstanceSaltedPW = tx_saltedpasswords_salts_factory::getSaltingInstance(NULL, $this->mode);

    if ($isMD5) {
        $set = TRUE;
        $value = 'M' . $this->objInstanceSaltedPW->getHashedPassword($value);
    } elseif (!$isSaltedHash) {
        $set = TRUE;
        $value = $this->objInstanceSaltedPW->getHashedPassword($value);
    }
}

The password (plain MD5) is found to be md5 ($isMD5 = TRUE) and is salt-hashed and prefixed with "M".

Next time the record is edited, the password is already salted but prefixed with "M" and as thus $isMD5 = FALSE and $isSaltedHash = FALSE, which leads to salt-hash the already-salted hash a second time which in turn... destroys the password altogether.

Actions

Also available in: Atom PDF