From 7f40255ca259e53d2ca331798b8ded154804e140 Mon Sep 17 00:00:00 2001 From: Tim Starling Date: Tue, 15 Nov 2016 10:54:44 +1100 Subject: [PATCH] Accept salted password hashes with :A: prefixes Partially reverting Icb809274f9f63. The broken :A: prefixed passwords generated by MW before that change were apparently written back to the database -- there are 2.5M in enwiki alone. Accepting them should not depend on $wgPasswordSalt, which is a deprecated global and should soon be removed. Change-Id: I772de0fb17245d080eb15a7d5df6bf3125e1f71a --- includes/password/MWOldPassword.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/includes/password/MWOldPassword.php b/includes/password/MWOldPassword.php index 360485e364..c48b6e61d5 100644 --- a/includes/password/MWOldPassword.php +++ b/includes/password/MWOldPassword.php @@ -36,8 +36,16 @@ class MWOldPassword extends ParameterizedPassword { } public function crypt( $plaintext ) { - $this->args = []; - $this->hash = md5( $plaintext ); + if ( count( $this->args ) === 1 ) { + // Accept (but do not generate) salted passwords with :A: prefix. + // These are actually B-type passwords, but an error in a previous + // version of MediaWiki caused them to be written with an :A: + // prefix. + $this->hash = md5( $this->args[0] . '-' . md5( $plaintext ) ); + } else { + $this->args = []; + $this->hash = md5( $plaintext ); + } if ( !is_string( $this->hash ) || strlen( $this->hash ) < 32 ) { throw new PasswordError( 'Error when hashing password.' ); -- 2.20.1