Fixed in Code Base
21 Oct 2016
Medium
Build: 3.6.4
# 12497
Diff
rdeutz:3.6.4-2fa-fix

Success

Success continuous-integration/drone the build was successful Details
Success continuous-integration/travis-ci/pr The Travis CI build passed Details

User tests: Successful: Unsuccessful:

rdeutz
20 Oct 2016

PR for issue #12458

Executive summary

This PR checks the data and if the data is crypted with mcyrpt it converts the data to openssl (the new default, when available) and saves the new data. It also saves the configuration data un-crypted because it isn’t more secure to save them crypted.

Background information

Since we merged an update for fof to make it compatible for PHP 7.x the default aes-adapter has changed.

Backwards compatibility

It is a fix for a B/C problem

Translation impact

nothing

Testing instruction

Create a 3.6.2 or lower site
Add a user and add either of the 2fa
check it works
Upgrade the site to 3.6.3 and try to login with the same user

This should fail

Create a new user and enable 2fa
try to log in, this should work

Apply patch

Now you should be able to login with all users using 2fa.

d9d751f 20 Oct 2016

handeling for mcrypt and openssl

rdeutz - open - 20 Oct 2016

rdeutz - change - 20 Oct 2016

Status

New

⇒

Pending

joomla-cms-bot - change - 20 Oct 2016

Labels

Added: ?

joomla-cms-bot - change - 20 Oct 2016

Category

⇒

Administration Components External Library Libraries

mbabker - comment - 20 Oct 2016

Question, since I didn't clearly grab this out of the report. Will this handle users who have saved new 2FA configs on 3.6.3 which were encrypted with OpenSSL as well as deal with the mcrypt stuff?

rdeutz - comment - 20 Oct 2016

@mbabker yes, it will.

mbabker - comment - 20 Oct 2016

infograf768 - test_item - 21 Oct 2016 - Tested successfully

infograf768 - comment - 21 Oct 2016

I have tested this item ✅ successfully on d9d751f

Tested with Google Authenticator.

I confirm it is now working fine with both a 362 and a 363 created user.

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12497.}

maxibanki - comment - 21 Oct 2016

workz ?

brianteeman - test_item - 21 Oct 2016 - Tested successfully

brianteeman - comment - 21 Oct 2016

I have tested this item ✅ successfully on d9d751f

Joomla 3.6.2
Admin login - key required
com_users - key required
mod_login - key required

Upgraded to Joomla 3.6.3
Admin login - key ignored
com_users - key ignored
mod_login - key ignored

Joomla 3.6.3 + pr
Admin login - key required
com_users - key required
mod_login - key required

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12497.}

b55727d 21 Oct 2016

Language changes suggested bei Brian

Klipper - comment - 21 Oct 2016

Maybe good to know:
I just found that an Akeeba Backup (.jpa) from Jooma 3.6.3 when 2FA is enabled can't be restored any more: Found in errorlog: PHP Fatal error: Uncaught Error: Class 'FOFUtilsPhpfunc' not found in D:\Buro\Aaa\flexbox\libraries\fof\encrypt\aes.php

Will report this also to Akeeba Backup ofcourse

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12497.}

infograf768 - change - 21 Oct 2016

Status

Pending

⇒

Ready to Commit

infograf768 - comment - 21 Oct 2016

RTC as last changes only concerned typos in comments

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/12497.}

joomla-cms-bot - change - 21 Oct 2016

Labels

Added: ?

mbabker - change - 21 Oct 2016

Status	Ready to Commit	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2016-10-21 15:27:06
Closed_By		⇒	mbabker

mbabker - close - 21 Oct 2016

mbabker - merge - 21 Oct 2016

brianteeman - close - 21 Oct 2016

brianteeman - change - 28 Oct 2016

Labels

Removed: ?