Bug #82048

Can't login with 32 characters password

Added by Tymoteusz Motylewski 20 days ago. Updated 20 days ago.

Status:
Accepted
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2017-08-04
Due date:
% Done:

0%

TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Passwords which looks like md5 hash are not working.

1. set md5 like password to fe/be user. eg. 098f6bcd4621d373cade4e832627b4f6 (it has to be 32 chars long, with small letters and digits)
2. try to log in
3. TYPO3 will always return error, login is not possible

Background:
the hash created by TYPO3 (the one stored in the db in column password) will begin with "M$", but it should with "$".
Removing the M from the beginning of the hash makes it possible to log in.

The problem is in the typo3/sysext/saltedpasswords/Classes/Evaluation/Evaluator.php
method evaluateFieldValue

$isEnabled = $this->mode ? \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled($this->mode) : \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled();
        if ($isEnabled) {
            $isMD5 = preg_match('/[0-9abcdef]{32,32}/', $value);
            $hashingMethod = substr($value, 0, 2);
            $isDeprecatedSaltedHash = ($hashingMethod === 'C$' || $hashingMethod === 'M$');
            /** @var $objInstanceSaltedPW \TYPO3\CMS\Saltedpasswords\Salt\SaltInterface */
            $objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null, $this->mode);
            if ($isMD5) {
                $set = true;
                $value = 'M' . $objInstanceSaltedPW->getHashedPassword($value);

I think evaluateFieldValue should know whether the value comes from db and can be a md5 hash, or comes from direct plain input from user.

History

#1 Updated by Georg Ringer 20 days ago

  • Status changed from New to Accepted

Also available in: Atom PDF