Bug #70216
closed
Bug in compareUident (SaltedPasswordService.php) if salted passwords are used
0%
Description
In fe_users we store the users password as salted password :-)
The call compareUident in SaltedPasswordService.php used by authUser seems to fail since
the password read from $loginData['uident_text'] is now salted and hence the call
to $validPasswd = $this->objInstanceSaltedPW->checkPassword($password, $user['password']);
will fail since the password here is expected to be in plaintext
The methods checkPassword implemented in PhpassSalt, and Md5Salt should be able to perform
the comparison even if a salted password is provided.
Updated by Helmut Hummel over 8 years ago
- Status changed from New to Needs Feedback
Thomas Hohn wrote:
The call compareUident in SaltedPasswordService.php used by authUser seems to fail since
the password read from $loginData['uident_text'] is now salted
This is wrong, otherwise noting would work any more. $loginData['uident_text'] always contains the clear text password, unless an extension service wrongly replaces it with something different.
If you use a plain core, then this works correctly.
Can you clarify what your problem is?
Updated by Riccardo De Contardi about 8 years ago
- Status changed from Needs Feedback to Closed
No feedback since the last 90+ days > closing this one.
If you think that this is the wrong decision or experience the issue again or have more information about how to reproduce it, please reopen it or open a new issue with a reference to this one.
Thank you