diff options
author | Stefan Hacker <dd0t@users.sourceforge.net> | 2010-12-13 17:58:57 +0300 |
---|---|---|
committer | Stefan Hacker <dd0t@users.sourceforge.net> | 2010-12-13 18:01:55 +0300 |
commit | 0aaa59ab71bb121cfc53ce2c7ddebc62f95aa813 (patch) | |
tree | 68d0259e4d1670014f2a2d69a9af78378aaa1ff7 | |
parent | 59c42507087418c0972166ba8c45bf542ec0246a (diff) |
Fix password encoding handling in phpBB3auth and smfauth.
-rwxr-xr-x[-rw-r--r--] | Authenticators/SMF/smfauth.py | 3 | ||||
-rwxr-xr-x[-rw-r--r--] | Authenticators/phpBB3/phpBB3auth.py | 25 |
2 files changed, 21 insertions, 7 deletions
diff --git a/Authenticators/SMF/smfauth.py b/Authenticators/SMF/smfauth.py index d604c32..73b1199 100644..100755 --- a/Authenticators/SMF/smfauth.py +++ b/Authenticators/SMF/smfauth.py @@ -54,6 +54,7 @@ from logging import (debug, warning, error, critical, + exception, getLogger) try: @@ -792,7 +793,7 @@ def smf_check_hash(password, hash, username): """ Python implementation of the smf check hash function """ - return sha1(unicode(username.lower() + password).encode('utf8')).hexdigest() == hash + return sha1(username.lower().encode('utf8') + password).hexdigest() == hash # #--- Start of program diff --git a/Authenticators/phpBB3/phpBB3auth.py b/Authenticators/phpBB3/phpBB3auth.py index 78a59ed..bd554d0 100644..100755 --- a/Authenticators/phpBB3/phpBB3auth.py +++ b/Authenticators/phpBB3/phpBB3auth.py @@ -54,8 +54,11 @@ from logging import (debug, warning, error, critical, + exception, getLogger) +from xml.sax.saxutils import escape + try: from hashlib import md5 except ImportError: # python 2.4 compat @@ -782,32 +785,42 @@ def _hash_crypt_private(password, settings, itoa64): count = 1 << count_log2 salt = settings[4:12] - + if len(salt) != 8: return output - - hash = md5(unicode(salt + password).encode('utf8')).digest() + + + hash = md5(salt + password).digest() + while True: - hash = md5(unicode(hash + password).encode('utf8')).digest() + hash = md5(hash + password).digest() count = count - 1 if count <= 0: break output = settings[0:12] output += _hash_encode64(hash, 16, itoa64) - + return output def phpbb_check_hash(password, hash): """ Python implementation of the phpBB3 check hash function """ + + # phpBB3 conditions the password it got from the user before using it, replicate that + + password = password.replace("\r\n", "\n") + password = password.replace("\r", "\n") + password = password.replace("\0", "") + password = escape(password, {'"':'"'}) # emulate ENT_COMPAT + password = password.strip() itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' if len(hash) == 34: return _hash_crypt_private(password, hash, itoa64) == hash - return md5(unicode(password).encode('utf8')).hexdigest() == hash + return md5(password).hexdigest() == hash # #--- Start of program |