* $wgDebugPrintHttpHeaders - The default of including HTTP headers in the
debug log channel is no longer configurable. The debug log itself remains
configurable via $wgDebugLogFile.
+* $wgPasswordSalt – This setting, used for migrating exceptionally old, insecure
+ password setups and deprecated since 1.24, is now removed.
=== New user-facing features in 1.34 ===
* Special:Mute has been added as a quick way for users to block unwanted emails
\MediaWiki\Auth\PasswordAuthenticationRequest::class,
];
-/**
- * For compatibility with old installations set to false
- * @deprecated since 1.24 will be removed in future
- */
-$wgPasswordSalt = true;
-
/**
* Specifies the minimal length of a user password. If set to 0, empty pass-
* words are allowed.
// Check for *really* old password hashes that don't even have a type
// The old hash format was just an md5 hex hash, with no type information
if ( preg_match( '/^[0-9a-f]{32}$/', $row->user_password ) ) {
- if ( $this->config->get( 'PasswordSalt' ) ) {
- $row->user_password = ":B:{$row->user_id}:{$row->user_password}";
- } else {
- $row->user_password = ":A:{$row->user_password}";
- }
+ $row->user_password = ":B:{$row->user_id}:{$row->user_password}";
}
$status = $this->checkPasswordValidity( $username, $req->password );
);
// Correct handling of really old password hashes
- $this->config->set( 'PasswordSalt', false );
- $password = md5( 'FooBar' );
- $dbw->update( 'user', [ 'user_password' => $password ], [ 'user_name' => $userName ] );
- $req->password = 'FooBar';
- $this->assertEquals(
- AuthenticationResponse::newPass( $userName ),
- $provider->beginPrimaryAuthentication( $reqs )
- );
-
$this->config->set( 'PasswordSalt', true );
$password = md5( "$id-" . md5( 'FooBar' ) );
$dbw->update( 'user', [ 'user_password' => $password ], [ 'user_name' => $userName ] );