diff options
author | Stefan Hacker <dd0t@users.sourceforge.net> | 2010-12-13 17:58:57 +0300 |
---|---|---|
committer | Stefan Hacker <dd0t@users.sourceforge.net> | 2010-12-13 18:01:55 +0300 |
commit | 0aaa59ab71bb121cfc53ce2c7ddebc62f95aa813 (patch) | |
tree | 68d0259e4d1670014f2a2d69a9af78378aaa1ff7 /Authenticators/phpBB3 | |
parent | 59c42507087418c0972166ba8c45bf542ec0246a (diff) |
Fix password encoding handling in phpBB3auth and smfauth.
Diffstat (limited to 'Authenticators/phpBB3')
-rwxr-xr-x[-rw-r--r--] | Authenticators/phpBB3/phpBB3auth.py | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/Authenticators/phpBB3/phpBB3auth.py b/Authenticators/phpBB3/phpBB3auth.py index 78a59ed..bd554d0 100644..100755 --- a/Authenticators/phpBB3/phpBB3auth.py +++ b/Authenticators/phpBB3/phpBB3auth.py @@ -54,8 +54,11 @@ from logging import (debug, warning, error, critical, + exception, getLogger) +from xml.sax.saxutils import escape + try: from hashlib import md5 except ImportError: # python 2.4 compat @@ -782,32 +785,42 @@ def _hash_crypt_private(password, settings, itoa64): count = 1 << count_log2 salt = settings[4:12] - + if len(salt) != 8: return output - - hash = md5(unicode(salt + password).encode('utf8')).digest() + + + hash = md5(salt + password).digest() + while True: - hash = md5(unicode(hash + password).encode('utf8')).digest() + hash = md5(hash + password).digest() count = count - 1 if count <= 0: break output = settings[0:12] output += _hash_encode64(hash, 16, itoa64) - + return output def phpbb_check_hash(password, hash): """ Python implementation of the phpBB3 check hash function """ + + # phpBB3 conditions the password it got from the user before using it, replicate that + + password = password.replace("\r\n", "\n") + password = password.replace("\r", "\n") + password = password.replace("\0", "") + password = escape(password, {'"':'"'}) # emulate ENT_COMPAT + password = password.strip() itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' if len(hash) == 34: return _hash_crypt_private(password, hash, itoa64) == hash - return md5(unicode(password).encode('utf8')).hexdigest() == hash + return md5(password).hexdigest() == hash # #--- Start of program |