diff options
author | Marek Habersack <grendel@twistedcode.net> | 2010-06-19 04:16:59 +0400 |
---|---|---|
committer | Marek Habersack <grendel@twistedcode.net> | 2010-06-19 04:16:59 +0400 |
commit | f2563ca2c7674f2fded8d1f61b3e817e42cc8d00 (patch) | |
tree | 811ff05dfa4fe37a93ca952cee7ce8298e80d790 /mcs/class | |
parent | b433a909ab4658cd1c0f5cea95f89094ae26c696 (diff) |
Backport of r159166
svn path=/branches/mono-2-6/mcs/; revision=159167
Diffstat (limited to 'mcs/class')
-rw-r--r-- | mcs/class/System.Web/System.Web.Security/ChangeLog | 5 | ||||
-rw-r--r-- | mcs/class/System.Web/System.Web.Security/FormsAuthentication.cs | 42 |
2 files changed, 38 insertions, 9 deletions
diff --git a/mcs/class/System.Web/System.Web.Security/ChangeLog b/mcs/class/System.Web/System.Web.Security/ChangeLog index 60579ea3dec..2cb7daa8584 100644 --- a/mcs/class/System.Web/System.Web.Security/ChangeLog +++ b/mcs/class/System.Web/System.Web.Security/ChangeLog @@ -1,3 +1,8 @@ +2010-06-19 Marek Habersack <mhabersack@novell.com> + + * FormsAuthentication.cs: Authenticate must compare stored and + newly hashed passwords case-insensitively. Fixes bug #601727 + 2010-04-29 Marek Habersack <mhabersack@novell.com> * FormsAuthentication.cs: set authentication/expiry cookie diff --git a/mcs/class/System.Web/System.Web.Security/FormsAuthentication.cs b/mcs/class/System.Web/System.Web.Security/FormsAuthentication.cs index b10508c66b7..2ece40789df 100644 --- a/mcs/class/System.Web/System.Web.Security/FormsAuthentication.cs +++ b/mcs/class/System.Web/System.Web.Security/FormsAuthentication.cs @@ -220,19 +220,24 @@ namespace System.Web.Security if (stored == null) return false; + bool caseInsensitive = true; switch (config.PasswordFormat) { case FormsAuthPasswordFormat.Clear: + caseInsensitive = false; /* Do nothing */ break; case FormsAuthPasswordFormat.MD5: - password = HashPasswordForStoringInConfigFile (password, "MD5"); + password = HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.MD5); break; case FormsAuthPasswordFormat.SHA1: - password = HashPasswordForStoringInConfigFile (password, "SHA1"); + password = HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.MD5); break; } - - return (password == stored); +#if NET_2_0 + return String.Compare (password, stored, caseInsensitive ? StringComparison.OrdinalIgnoreCase : StringComparison.Ordinal) == 0; +#else + return String.Compare (password, stored, caseInsensitive, Helpers.InvariantCulture) == 0; +#endif } #if NET_2_0 @@ -491,6 +496,28 @@ namespace System.Web.Security return new string (result); } + static string HashPasswordForStoringInConfigFile (string password, FormsAuthPasswordFormat passwordFormat) + { + if (password == null) + throw new ArgumentNullException ("password"); + + byte [] bytes; + switch (passwordFormat) { + case FormsAuthPasswordFormat.MD5: + bytes = MD5.Create ().ComputeHash (Encoding.UTF8.GetBytes (password)); + break; + + case FormsAuthPasswordFormat.SHA1: + bytes = SHA1.Create ().ComputeHash (Encoding.UTF8.GetBytes (password)); + break; + + default: + throw new ArgumentException ("The format must be either MD5 or SHA1", "passwordFormat"); + } + + return GetHexString (bytes); + } + public static string HashPasswordForStoringInConfigFile (string password, string passwordFormat) { if (password == null) @@ -499,16 +526,13 @@ namespace System.Web.Security if (passwordFormat == null) throw new ArgumentNullException ("passwordFormat"); - byte [] bytes; if (String.Compare (passwordFormat, "MD5", true, Helpers.InvariantCulture) == 0) { - bytes = MD5.Create ().ComputeHash (Encoding.UTF8.GetBytes (password)); + return HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.MD5); } else if (String.Compare (passwordFormat, "SHA1", true, Helpers.InvariantCulture) == 0) { - bytes = SHA1.Create ().ComputeHash (Encoding.UTF8.GetBytes (password)); + return HashPasswordForStoringInConfigFile (password, FormsAuthPasswordFormat.SHA1); } else { throw new ArgumentException ("The format must be either MD5 or SHA1", "passwordFormat"); } - - return GetHexString (bytes); } public static void Initialize () |