X-Git-Url: https://git.cyclocoop.org/%27.WWW_URL.%27admin/?a=blobdiff_plain;f=includes%2Fauth%2FLocalPasswordPrimaryAuthenticationProvider.php;h=86a6aae0aba4e31070ccfed37544ef5f7e9c9940;hb=64f08b23ee6f29cd38289f8d48bad7469d248107;hp=88df68d31001d033095cb0e3f960bced01e1256e;hpb=fd5127b4f0278299760c823eb0c68523ad1cf3cc;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
index 88df68d310..86a6aae0ab 100644
--- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
+++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php
@@ -96,7 +96,10 @@ class LocalPasswordPrimaryAuthenticationProvider
 			__METHOD__
 		);
 		if ( !$row ) {
-			return AuthenticationResponse::newAbstain();
+			// Do not reveal whether its bad username or
+			// bad password to prevent username enumeration
+			// on private wikis. (T134100)
+			return $this->failResponse( $req );
 		}
 
 		$oldRow = clone $row;
@@ -104,7 +107,7 @@ class LocalPasswordPrimaryAuthenticationProvider
 		// The old hash format was just an md5 hex hash, with no type information
 		if ( preg_match( '/^[0-9a-f]{32}$/', $row->user_password ) ) {
 			if ( $this->config->get( 'PasswordSalt' ) ) {
-				$row->user_password = ":A:{$row->user_id}:{$row->user_password}";
+				$row->user_password = ":B:{$row->user_id}:{$row->user_password}";
 			} else {
 				$row->user_password = ":A:{$row->user_password}";
 			}
@@ -132,12 +135,12 @@ class LocalPasswordPrimaryAuthenticationProvider
 
 		// @codeCoverageIgnoreStart
 		if ( $this->getPasswordFactory()->needsUpdate( $pwhash ) ) {
-			$pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
-			\DeferredUpdates::addCallableUpdate( function () use ( $pwhash, $oldRow ) {
+			$newHash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
+			\DeferredUpdates::addCallableUpdate( function () use ( $newHash, $oldRow ) {
 				$dbw = wfGetDB( DB_MASTER );
 				$dbw->update(
 					'user',
-					[ 'user_password' => $pwhash->toString() ],
+					[ 'user_password' => $newHash->toString() ],
 					[
 						'user_id' => $oldRow->user_id,
 						'user_password' => $oldRow->user_password
@@ -242,14 +245,14 @@ class LocalPasswordPrimaryAuthenticationProvider
 
 		$pwhash = null;
 
-		if ( $this->loginOnly ) {
-			$pwhash = $this->getPasswordFactory()->newFromCiphertext( null );
-			$expiry = null;
-			// @codeCoverageIgnoreStart
-		} elseif ( get_class( $req ) === PasswordAuthenticationRequest::class ) {
-			// @codeCoverageIgnoreEnd
-			$pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
-			$expiry = $this->getNewPasswordExpiry( $username );
+		if ( get_class( $req ) === PasswordAuthenticationRequest::class ) {
+			if ( $this->loginOnly ) {
+				$pwhash = $this->getPasswordFactory()->newFromCiphertext( null );
+				$expiry = null;
+			} else {
+				$pwhash = $this->getPasswordFactory()->newFromPlaintext( $req->password );
+				$expiry = $this->getNewPasswordExpiry( $username );
+			}
 		}
 
 		if ( $pwhash ) {
@@ -297,7 +300,7 @@ class LocalPasswordPrimaryAuthenticationProvider
 				// Nothing we can do besides claim it, because the user isn't in
 				// the DB yet
 				if ( $req->username !== $user->getName() ) {
-					$req = clone( $req );
+					$req = clone $req;
 					$req->username = $user->getName();
 				}
 				$ret = AuthenticationResponse::newPass( $req->username );