Bug #58192

User settings password change locks out user if saltedpasswords is not configured to allow legacy passwords

Added by Markus Klein about 7 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
Backend API
Target version:
Start date:
2014-04-25
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
medium
Is Regression:
No
Sprint Focus:

Description

If saltedpasswords is configured to disallow old md5 passwords and a user changes his/her password via the User Settings module, the user locks herself out of the BE.

The reason is that the User Settings dialog still creates old md5 passwords which are converted during the next login if saltedpasswords is configured to do so.

#1

Updated by Markus Klein about 7 years ago

This seems to be a loading order problem. As the ext_tables.php of saltedpasswords would change the eval of the password fields correctly, but this is never applied.

#2

Updated by Gerrit Code Review about 7 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656

#3

Updated by Markus Klein about 7 years ago

What happens here

EXT:saltedpasswords is loaded before EXT:setup
EXT:saltedpasswords defines $GLOBALS['TYPO3_USER_SETTINGS']['columns']['password']['eval'] = '';, but $GLOBALS['TYPO3_USER_SETTINGS'] does not exist yet.
EXT:setup defines $GLOBALS['TYPO3_USER_SETTINGS'] and overwrites $GLOBALS['TYPO3_USER_SETTINGS']['columns']['password']['eval'] = 'md5';

This causes the User Settings Tool to generate a legacy md5 password hash which is written into the DB.

During login the Authentication Service detects the old password and denies the login, if EXT:saltedpasswords is configured to force salted passwords in BE mode.

Solution

Setting a dependency of EXT:saltedpasswords to EXT:setup should ensure that setup is loaded first. But it does NOT!
The problem is that EXT:saltedpasswords is a protected system extension whereas EXT:setup is not.
Package Manager will therefore rearrange the loading order and EXT:setup is second again.

So we also need to set EXT:setup as protected to really get the right loading order.

#4

Updated by Gerrit Code Review about 7 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656

#5

Updated by Gerrit Code Review about 7 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656

#6

Updated by Gerrit Code Review about 7 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656

#7

Updated by Gerrit Code Review about 7 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656

#8

Updated by Gerrit Code Review about 7 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656

#9

Updated by Gerrit Code Review about 7 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656

#10

Updated by Markus Klein about 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#11

Updated by Benni Mack over 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF