Actions
Bug #82048
closedCan't login with 32 characters password
Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Authentication
Target version:
-
Start date:
2017-08-04
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:
Description
Passwords which looks like md5 hash are not working.
1. set md5 like password to fe/be user. eg. 098f6bcd4621d373cade4e832627b4f6 (it has to be 32 chars long, with small letters and digits)
2. try to log in
3. TYPO3 will always return error, login is not possible
Background:
the hash created by TYPO3 (the one stored in the db in column password) will begin with "M$", but it should with "$".
Removing the M from the beginning of the hash makes it possible to log in.
The problem is in the typo3/sysext/saltedpasswords/Classes/Evaluation/Evaluator.php
method evaluateFieldValue
$isEnabled = $this->mode ? \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled($this->mode) : \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled(); if ($isEnabled) { $isMD5 = preg_match('/[0-9abcdef]{32,32}/', $value); $hashingMethod = substr($value, 0, 2); $isDeprecatedSaltedHash = ($hashingMethod === 'C$' || $hashingMethod === 'M$'); /** @var $objInstanceSaltedPW \TYPO3\CMS\Saltedpasswords\Salt\SaltInterface */ $objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null, $this->mode); if ($isMD5) { $set = true; $value = 'M' . $objInstanceSaltedPW->getHashedPassword($value);
I think evaluateFieldValue should know whether the value comes from db and can be a md5 hash, or comes from direct plain input from user.
Actions