Joomla! Issue Tracker | Joomla! CMS #31500 - [4.0] Fix password hash comparison

? ? ?

Fixed in Code Base
9 Dec 2020
Medium
Build: 4.0-dev
# 31500
Diff
bembelimen:4.0/31176

Pending

User tests: Successful: Unsuccessful:

bembelimen
26 Nov 2020

Pull Request for Issue #31176 .

Summary of Changes

This PR fixes the weak comparison for the password hashing handler.

@HLeithner and me tried to fix the wrong usage of the switch statement mentioned here: #31176 (comment)

Testing Instructions

Actual result BEFORE applying this Pull Request

See: #31176 (comment)

Expected result AFTER applying this Pull Request

User is registered and BCryprt is used.

Documentation Changes Required

50fc563 26 Nov 2020

Fix password hash comparison

bembelimen - open - 26 Nov 2020

bembelimen - change - 26 Nov 2020

Status

New

⇒

Pending

joomla-cms-bot - change - 26 Nov 2020

Category

⇒

Libraries

c8d2b03 26 Nov 2020

Improve comment deprecation

bembelimen - change - 26 Nov 2020

Labels

Added: ? ?

chmst - test_item - 28 Nov 2020 - Tested successfully

chmst - comment - 28 Nov 2020

I have tested this item ✅ successfully on c8d2b03

Tested on win10, Xampp with PHP 7.4.6. Registered users and checked the password in the database.

Before PR with normal php 7.4.6
$argon2i$v=19$m=65536,t=4,p=1$SWFULi5FY2d....

Before (renamed php_sodium.php in php)
$argon2i$v=19$m=65536,t=4,p=1$bm1aZn

After PR with normal php 7.4.6
$2y$10$uEw....

After PR (renamed php_sodium.php in php)
$2y$10$E.wUzScPv....

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/31500.}

manojLondhe - test_item - 5 Dec 2020 - Tested successfully

manojLondhe - comment - 5 Dec 2020

I have tested this item ✅ successfully on c8d2b03

For same password for different users, I see as below in database password column

Before patch
$argon2i$v=19$m=65536,t=4,p=1$b29oNDNUZ1ZoZGlMRWQwOA$fc8zv34Rg7xWENE6cLI2WcJg99yMr6tBKwGWmQDgiII

After patch
$2y$10$QAuP9Nt64s2NG2YXP2pkOObR5uenW5s62OpwwTKXhugc.wCZR0ESy

I am not sure though if it is a successful test or no.

System info of my env.
PHP Version | 7.4.10

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/31500.}

chmst - change - 5 Dec 2020

Status

Pending

⇒

Ready to Commit

chmst - comment - 5 Dec 2020

RTC

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/31500.}

4cf5b69 9 Dec 2020

wilsonge - change - 9 Dec 2020

Labels

Added: ?

4b6f8b4 9 Dec 2020

wilsonge - change - 9 Dec 2020

Status	Ready to Commit	⇒	Fixed in Code Base
Closed_Date	0000-00-00 00:00:00	⇒	2020-12-09 19:36:23
Closed_By		⇒	wilsonge

wilsonge - close - 9 Dec 2020

wilsonge - merge - 9 Dec 2020

wilsonge - comment - 9 Dec 2020

Thanks!

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS

[#31500] - [4.0] Fix password hash comparison

Summary of Changes

Testing Instructions

Actual result BEFORE applying this Pull Request

Expected result AFTER applying this Pull Request

Documentation Changes Required

Add a Comment