| 2024-03-25 21:00:30 |
Jason Stephenson |
description |
Evergreen Version 3.7+
The comments for the open-ils.actor.verify_user_password backend function claims to work with non-hashed passwords:
Given a barcode or username and the MD5 encoded password,
The password can also be passed without the MD5 hashing.
returns 1 if the password is correct. Returns 0 otherwise.
However, this is not true. If the $pass_nohash argument is given a true value, the password is treated as if it were hashed, and the password verification will fail. The following lines are the responsible:
if ($pass_nohash) {
return $U->verify_migrated_user_password($e, $user->id, $pass_nohash);
} else {
return $U->verify_migrated_user_password($e, $user->id, $password, 1);
}
Instead using the $pass_nohash value in the top "if" statement, the value should be 0.
The entire if block could probably be replaced with a single line of code. |
Evergreen Version 3.7+
The comments for the open-ils.actor.verify_user_password backend function claims to work with non-hashed passwords:
Given a barcode or username and the MD5 encoded password,
The password can also be passed without the MD5 hashing.
returns 1 if the password is correct. Returns 0 otherwise.
However, this is not true. If the $pass_nohash argument is given a true value, the password is treated as if it were hashed, and the password verification will fail. The following lines are responsible:
if ($pass_nohash) {
return $U->verify_migrated_user_password($e, $user->id, $pass_nohash);
} else {
return $U->verify_migrated_user_password($e, $user->id, $password, 1);
}
Instead of reusing the $pass_nohash value in the top branch of the "if" statement, the value should be 0.
The entire if block could probably be replaced with a single line of code. |
|
