From cbc3083acd1289c7624bbb48d8d9332777465731 Mon Sep 17 00:00:00 2001 From: joshuaruesweg Date: Thu, 5 Aug 2021 14:43:29 +0200 Subject: [PATCH] Fix having an incorrect parameter if a hash does not contains a salt Fixes #4416 --- .../user/authentication/password/algorithm/Ipb2.class.php | 4 +++- .../user/authentication/password/algorithm/Ipb3.class.php | 4 +++- .../user/authentication/password/algorithm/Joomla1.class.php | 4 +++- .../user/authentication/password/algorithm/Joomla2.class.php | 4 +++- .../user/authentication/password/algorithm/Joomla3.class.php | 4 +++- .../user/authentication/password/algorithm/Mybb1.class.php | 4 +++- .../user/authentication/password/algorithm/Phpfox3.class.php | 4 +++- .../user/authentication/password/algorithm/Smf1.class.php | 4 +++- .../user/authentication/password/algorithm/Smf2.class.php | 4 +++- .../user/authentication/password/algorithm/Vb3.class.php | 4 +++- .../user/authentication/password/algorithm/Vb4.class.php | 4 +++- .../user/authentication/password/algorithm/Vb5.class.php | 4 +++- .../user/authentication/password/algorithm/Wcf1.class.php | 4 +++- .../user/authentication/password/algorithm/Wcf1e.class.php | 4 +++- .../user/authentication/password/algorithm/Xf1.class.php | 4 +++- 15 files changed, 45 insertions(+), 15 deletions(-) diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Ipb2.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Ipb2.class.php index d33ced5961..3b29d8c81e 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Ipb2.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Ipb2.class.php @@ -21,7 +21,9 @@ final class Ipb2 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Ipb3.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Ipb3.class.php index b9b1af38a0..18c70aa90f 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Ipb3.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Ipb3.class.php @@ -21,7 +21,9 @@ final class Ipb3 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla1.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla1.class.php index 415ce26c91..edef893326 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla1.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla1.class.php @@ -21,7 +21,9 @@ final class Joomla1 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla2.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla2.class.php index ea079836d6..2bf2dd073f 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla2.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla2.class.php @@ -21,7 +21,9 @@ final class Joomla2 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla3.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla3.class.php index 10663f00b5..1647cef5e1 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla3.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Joomla3.class.php @@ -21,7 +21,9 @@ final class Joomla3 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Mybb1.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Mybb1.class.php index 43802dd7fe..a436b6fcbe 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Mybb1.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Mybb1.class.php @@ -21,7 +21,9 @@ final class Mybb1 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Phpfox3.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Phpfox3.class.php index 72ddf0505f..b4d4ce9c0c 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Phpfox3.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Phpfox3.class.php @@ -21,7 +21,9 @@ final class Phpfox3 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Smf1.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Smf1.class.php index 387fd2e5eb..298bd2ef0d 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Smf1.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Smf1.class.php @@ -21,7 +21,9 @@ final class Smf1 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Smf2.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Smf2.class.php index 51eb596ab6..c419ed378d 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Smf2.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Smf2.class.php @@ -21,7 +21,9 @@ final class Smf2 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb3.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb3.class.php index ad902f0117..af61345112 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb3.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb3.class.php @@ -21,7 +21,9 @@ final class Vb3 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb4.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb4.class.php index f664787af0..a3cee6f805 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb4.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb4.class.php @@ -21,7 +21,9 @@ final class Vb4 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb5.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb5.class.php index 64f0b07aae..ca1afdaa6c 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb5.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Vb5.class.php @@ -21,7 +21,9 @@ final class Vb5 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Wcf1.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Wcf1.class.php index 4cf28d17a5..c97c882324 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Wcf1.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Wcf1.class.php @@ -21,7 +21,9 @@ final class Wcf1 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Wcf1e.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Wcf1e.class.php index 2462b560c0..0fc9e4be00 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Wcf1e.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Wcf1e.class.php @@ -56,7 +56,9 @@ final class Wcf1e implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; return \hash_equals($hash, $this->hashWithSalt($password, $salt)); } diff --git a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Xf1.class.php b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Xf1.class.php index d45ec31238..b1c82cf0b7 100644 --- a/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Xf1.class.php +++ b/wcfsetup/install/files/lib/system/user/authentication/password/algorithm/Xf1.class.php @@ -21,7 +21,9 @@ final class Xf1 implements IPasswordAlgorithm */ public function verify(string $password, string $hash): bool { - [$hash, $salt] = \explode(':', $hash, 2); + $parts = \explode(':', $hash, 2); + $hash = $parts[0]; + $salt = $parts[1] ?? ''; if (\hash_equals($hash, \sha1(\sha1($password) . $salt))) { return true; -- 2.20.1