From: Tim Starling Date: Mon, 14 Nov 2016 23:54:44 +0000 (+1100) Subject: Accept salted password hashes with :A: prefixes X-Git-Tag: 1.31.0-rc.0~4873 X-Git-Url: https://git.cyclocoop.org/%7B%24admin_url%7Dmembres/fiche.php?a=commitdiff_plain;h=7f40255ca259e53d2ca331798b8ded154804e140;p=lhc%2Fweb%2Fwiklou.git Accept salted password hashes with :A: prefixes Partially reverting Icb809274f9f63. The broken :A: prefixed passwords generated by MW before that change were apparently written back to the database -- there are 2.5M in enwiki alone. Accepting them should not depend on $wgPasswordSalt, which is a deprecated global and should soon be removed. Change-Id: I772de0fb17245d080eb15a7d5df6bf3125e1f71a --- diff --git a/includes/password/MWOldPassword.php b/includes/password/MWOldPassword.php index 360485e364..c48b6e61d5 100644 --- a/includes/password/MWOldPassword.php +++ b/includes/password/MWOldPassword.php @@ -36,8 +36,16 @@ class MWOldPassword extends ParameterizedPassword { } public function crypt( $plaintext ) { - $this->args = []; - $this->hash = md5( $plaintext ); + if ( count( $this->args ) === 1 ) { + // Accept (but do not generate) salted passwords with :A: prefix. + // These are actually B-type passwords, but an error in a previous + // version of MediaWiki caused them to be written with an :A: + // prefix. + $this->hash = md5( $this->args[0] . '-' . md5( $plaintext ) ); + } else { + $this->args = []; + $this->hash = md5( $plaintext ); + } if ( !is_string( $this->hash ) || strlen( $this->hash ) < 32 ) { throw new PasswordError( 'Error when hashing password.' );