Bug #82048
closed
Can't login with 32 characters password
0%
Description
Passwords which looks like md5 hash are not working.
1. set md5 like password to fe/be user. eg. 098f6bcd4621d373cade4e832627b4f6 (it has to be 32 chars long, with small letters and digits)
2. try to log in
3. TYPO3 will always return error, login is not possible
Background:
the hash created by TYPO3 (the one stored in the db in column password) will begin with "M$", but it should with "$".
Removing the M from the beginning of the hash makes it possible to log in.
The problem is in the typo3/sysext/saltedpasswords/Classes/Evaluation/Evaluator.php
method evaluateFieldValue
$isEnabled = $this->mode ? \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled($this->mode) : \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled();
if ($isEnabled) {
$isMD5 = preg_match('/[0-9abcdef]{32,32}/', $value);
$hashingMethod = substr($value, 0, 2);
$isDeprecatedSaltedHash = ($hashingMethod === 'C$' || $hashingMethod === 'M$');
/** @var $objInstanceSaltedPW \TYPO3\CMS\Saltedpasswords\Salt\SaltInterface */
$objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null, $this->mode);
if ($isMD5) {
$set = true;
$value = 'M' . $objInstanceSaltedPW->getHashedPassword($value);
I think evaluateFieldValue should know whether the value comes from db and can be a md5 hash, or comes from direct plain input from user.
Updated by Georg Ringer about 4 years ago
- Status changed from Accepted to Needs Feedback
can you recheck on master? saltedpasswords has been migrated into core and md5 doesn't work anymore. I can't reproduce this anymore. thx
Updated by Riccardo De Contardi about 4 years ago
I tried with 10.4.0-dev (latest master) and the password suggested in the description (098f6bcd4621d373cade4e832627b4f6) and I was able to log in.
Updated by Tymoteusz Motylewski about 4 years ago
- Status changed from Needs Feedback to Closed
let's close it then