tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

BUGFIX Fixed Member->PasswordEncryption defaults when writing new Member without setting a password. Fixes critical issue with MemberTableField saving in admin/security, where new members are stored with a cleartext password by default instead of using the default SHA1 (see #5772)

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@107532 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2010-07-06 01:54:55 +00:00 committed by Sam Minnee
parent b8f27de42e
commit 7ac4a9ec4d
2 changed files with 19 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
security/Member.php
View File

@ -636,7 +636,7 @@ class Member extends DataObject {
// The test on $this->ID is used for when records are initially created. // The test on $this->ID is used for when records are initially created.
// Note that this only works with cleartext passwords, as we can't rehash // Note that this only works with cleartext passwords, as we can't rehash
// existing passwords. // existing passwords.
if(!$this->ID || $this->isChanged('Password')) { if((!$this->ID && $this->Password) || $this->isChanged('Password')) {
// Password was changed: encrypt the password according the settings // Password was changed: encrypt the password according the settings
$encryption_details = Security::encrypt_password( $encryption_details = Security::encrypt_password(
$this->Password, // this is assumed to be cleartext $this->Password, // this is assumed to be cleartext
@ -644,8 +644,9 @@ class Member extends DataObject {
$this->PasswordEncryption, $this->PasswordEncryption,
$this $this
); );
// Overwrite the Password property with the hashed value // Overwrite the Password property with the hashed value
$this->Password = $encryption_details['password']; ; $this->Password = $encryption_details['password'];
$this->Salt = $encryption_details['salt']; $this->Salt = $encryption_details['salt'];
$this->PasswordEncryption = $encryption_details['algorithm']; $this->PasswordEncryption = $encryption_details['algorithm'];

20
tests/security/MemberTest.php
View File

@ -52,13 +52,20 @@ class MemberTest extends FunctionalTest {
} }
function testDefaultPasswordEncryptionOnMember() { function testDefaultPasswordEncryptionOnMember() {
$member = new Member(); $memberWithPassword = new Member();
$member->Password = 'mypassword'; $memberWithPassword->Password = 'mypassword';
$member->write(); $memberWithPassword->write();
$this->assertEquals( $this->assertEquals(
$member->PasswordEncryption, $memberWithPassword->PasswordEncryption,
Security::get_password_encryption_algorithm(), Security::get_password_encryption_algorithm(),
'Password encryption is set for new member records on first write' 'Password encryption is set for new member records on first write (with setting "Password")'
);
$memberNoPassword = new Member();
$memberNoPassword->write();
$this->assertNull(
$memberNoPassword->PasswordEncryption,
'Password encryption is not set for new member records on first write, when not setting a "Password")'
); );
} }
@ -68,6 +75,7 @@ class MemberTest extends FunctionalTest {
$member->PasswordEncryption = 'sha1_v2.4'; $member->PasswordEncryption = 'sha1_v2.4';
$member->write(); $member->write();
$origAlgo = Security::get_password_encryption_algorithm();
Security::set_password_encryption_algorithm('none'); Security::set_password_encryption_algorithm('none');
$member->Password = 'mynewpassword'; $member->Password = 'mynewpassword';
@ -79,6 +87,8 @@ class MemberTest extends FunctionalTest {
); );
$result = $member->checkPassword('mynewpassword'); $result = $member->checkPassword('mynewpassword');
$this->assertTrue($result->valid()); $this->assertTrue($result->valid());
Security::set_password_encryption_algorithm($origAlgo);
} }
function testSetPassword() { function testSetPassword() {