X-Git-Url: https://git.cyclocoop.org/%242?a=blobdiff_plain;f=includes%2Fpassword%2FPassword.php;h=c8a0267cb132c18fdbb9cfe699fbd7c9bd8ae14e;hb=7babd362babcbf7f20adb8e12edb4f4bc1d4249f;hp=4e395b5182f7ef28fded98ace47bbdf00857ddd8;hpb=a15fe7dd93cfcd9510b54b8481b4c3aa891ac380;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/password/Password.php b/includes/password/Password.php
index 4e395b5182..c8a0267cb1 100644
--- a/includes/password/Password.php
+++ b/includes/password/Password.php
@@ -81,6 +81,11 @@ abstract class Password {
 	 */
 	protected $config;
 
+	/**
+	 * Hash must fit in user_password, which is a tinyblob
+	 */
+	const MAX_HASH_SIZE = 255;
+
 	/**
 	 * Construct the Password object using a string hash
 	 *
@@ -133,8 +138,7 @@ abstract class Password {
 	 *
 	 * @return bool True if needs update, false otherwise
 	 */
-	public function needsUpdate() {
-	}
+	abstract public function needsUpdate();
 
 	/**
 	 * Compare one Password object to this object
@@ -168,9 +172,28 @@ abstract class Password {
 	 * are considered equivalent.
 	 *
 	 * @return string
+	 * @throws PasswordError if password cannot be serialized to fit a tinyblob.
 	 */
 	public function toString() {
-		return ':' . $this->config['type'] . ':' . $this->hash;
+		$result = ':' . $this->config['type'] . ':' . $this->hash;
+		$this->assertIsSafeSize( $result );
+		return $result;
+	}
+
+	/**
+	 * Assert that hash will fit in a tinyblob field.
+	 *
+	 * This prevents MW from inserting it into the DB
+	 * and having MySQL silently truncating it, locking
+	 * the user out of their account.
+	 *
+	 * @param string $hash The hash in question.
+	 * @throws PasswordError If hash does not fit in DB.
+	 */
+	final protected function assertIsSafeSize( $hash ) {
+		if ( strlen( $hash ) > self::MAX_HASH_SIZE ) {
+			throw new PasswordError( "Password hash is too big" );
+		}
 	}
 
 	/**