Bug #58192
closed
User settings password change locks out user if saltedpasswords is not configured to allow legacy passwords
100%
Description
If saltedpasswords is configured to disallow old md5 passwords and a user changes his/her password via the User Settings module, the user locks herself out of the BE.
The reason is that the User Settings dialog still creates old md5 passwords which are converted during the next login if saltedpasswords is configured to do so.
Updated by Markus Klein over 10 years ago
This seems to be a loading order problem. As the ext_tables.php of saltedpasswords would change the eval of the password fields correctly, but this is never applied.
Updated by Gerrit Code Review over 10 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656
Updated by Markus Klein over 10 years ago
What happens here¶
EXT:saltedpasswords is loaded before EXT:setup
EXT:saltedpasswords defines $GLOBALS['TYPO3_USER_SETTINGS']['columns']['password']['eval'] = '';, but $GLOBALS['TYPO3_USER_SETTINGS'] does not exist yet.
EXT:setup defines $GLOBALS['TYPO3_USER_SETTINGS'] and overwrites $GLOBALS['TYPO3_USER_SETTINGS']['columns']['password']['eval'] = 'md5';
This causes the User Settings Tool to generate a legacy md5 password hash which is written into the DB.
During login the Authentication Service detects the old password and denies the login, if EXT:saltedpasswords is configured to force salted passwords in BE mode.
Solution¶
Setting a dependency of EXT:saltedpasswords to EXT:setup should ensure that setup is loaded first. But it does NOT!
The problem is that EXT:saltedpasswords is a protected system extension whereas EXT:setup is not.
Package Manager will therefore rearrange the loading order and EXT:setup is second again.
So we also need to set EXT:setup as protected to really get the right loading order.
Updated by Gerrit Code Review over 10 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656
Updated by Gerrit Code Review over 10 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656
Updated by Gerrit Code Review over 10 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656
Updated by Gerrit Code Review over 10 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656
Updated by Gerrit Code Review over 10 years ago
Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656
Updated by Gerrit Code Review over 10 years ago
Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/29656
Updated by Markus Klein over 10 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset c02bab5c70adbfcd63162dafd0bd7b2fb089b21f.
Updated by