Skip to content

Instantly share code, notes, and snippets.

@fetus-hina

fetus-hina/mantis-password-md5.diff

Created March 9, 2017 13:16
Show Gist options
  • Save fetus-hina/f8957ae20c19ac897d499734e37397ac to your computer and use it in GitHub Desktop.
Save fetus-hina/f8957ae20c19ac897d499734e37397ac to your computer and use it in GitHub Desktop.
Download ZIP
Use password_hash() instead of md5() when create/authenticate user on MantisBT system
Raw
mantis-password-md5.diff
diff -r -u mantisbt.o/core/authentication_api.php mantisbt/core/authentication_api.php
--- mantisbt.o/core/authentication_api.php 2017-03-09 21:53:03.000000000 +0900
+++ mantisbt/core/authentication_api.php 2017-03-09 22:11:34.708292246 +0900
@@ -209,7 +209,7 @@
if( $t_auto_create ) {
# attempt to create the user
- $t_cookie_string = user_create( $p_username, md5( $p_password ) );
+ $t_cookie_string = user_create( $p_username, $p_password );
if( $t_cookie_string === false ) {
# it didn't work
return false;
@@ -502,35 +502,25 @@
}
$t_password = user_get_field( $p_user_id, 'password' );
- $t_login_methods = array(
- MD5,
- CRYPT,
- PLAIN,
- BASIC_AUTH,
- );
-
- foreach( $t_login_methods as $t_login_method ) {
- # pass the stored password in as the salt
- if( auth_process_plain_password( $p_test_password, $t_password, $t_login_method ) == $t_password ) {
- # Do not support migration to PLAIN, since this would be a crazy thing to do.
- # Also if we do, then a user will be able to login by providing the MD5 value
- # that is copied from the database. See #8467 for more details.
- if( ( $t_configured_login_method != PLAIN && $t_login_method == PLAIN ) ||
- ( $t_configured_login_method != BASIC_AUTH && $t_login_method == BASIC_AUTH ) ) {
- continue;
- }
-
- # Check for migration to another login method and test whether the password was encrypted
- # with our previously insecure implementation of the CRYPT method
- if( ( $t_login_method != $t_configured_login_method ) || (( CRYPT == $t_configured_login_method ) && utf8_substr( $t_password, 0, 2 ) == utf8_substr( $p_test_password, 0, 2 ) ) ) {
- user_set_password( $p_user_id, $p_test_password, true );
- }
- return true;
+ $should_upgrade = false;
+ if (preg_match('/^[0-9a-fA-F]{32}$/', $t_password)) {
+ if (hash('md5', $p_test_password) !== $t_password) {
+ return false;
}
+ $should_upgrade = true;
+ } else {
+ if (!password_verify($p_test_password, $t_password)) {
+ return false;
+ }
+ $should_upgrade = password_needs_rehash($t_password, PASSWORD_DEFAULT);
}
- return false;
+ if ($should_upgrade) {
+ user_set_password($p_user_id, $p_test_password, true);
+ }
+
+ return true;
}
/**
@@ -549,30 +539,7 @@
* @access public
*/
function auth_process_plain_password( $p_password, $p_salt = null, $p_method = null ) {
- $t_login_method = config_get( 'login_method' );
- if( $p_method !== null ) {
- $t_login_method = $p_method;
- }
-
- switch( $t_login_method ) {
- case CRYPT:
-
- # a null salt is the same as no salt, which causes a salt to be generated
- # otherwise, use the salt given
- $t_processed_password = crypt( $p_password, $p_salt );
- break;
- case MD5:
- $t_processed_password = md5( $p_password );
- break;
- case BASIC_AUTH:
- case PLAIN:
- default:
- $t_processed_password = $p_password;
- break;
- }
-
- # cut this off to DB_FIELD_SIZE_PASSWORD characters which the largest possible string in the database
- return utf8_substr( $t_processed_password, 0, DB_FIELD_SIZE_PASSWORD );
+ return password_hash($p_password, PASSWORD_DEFAULT);
}
/**
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment