silverstripe-framework/Security/PasswordEncryptor_LegacyPHPHash.php
Damian Mooyman 8dd644d25d
API Namespace all classes
Namespace all templates
Move difflib and BBCodeParser2 to thirdparty
Remove deprecated API marked for removal in 4.0
2016-09-08 10:23:17 +12:00

33 lines
1.1 KiB
PHP

<?php
namespace SilverStripe\Security;
/**
* Legacy implementation for SilverStripe 2.1 - 2.3,
* which had a design flaw in password hashing that caused
* the hashes to differ between architectures due to
* floating point precision problems in base_convert().
* See http://open.silverstripe.org/ticket/3004
*/
class PasswordEncryptor_LegacyPHPHash extends PasswordEncryptor_PHPHash
{
public function encrypt($password, $salt = null, $member = null)
{
$password = parent::encrypt($password, $salt, $member);
// Legacy fix: This shortening logic is producing unpredictable results.
//
// Convert the base of the hexadecimal password to 36 to make it shorter
// In that way we can store also a SHA256 encrypted password in just 64
// letters.
return substr(base_convert($password, 16, 36), 0, 64);
}
public function check($hash, $password, $salt = null, $member = null)
{
// Due to flawed base_convert() floating poing precision,
// only the first 10 characters are consistently useful for comparisons.
return (substr($hash, 0, 10) === substr($this->encrypt($password, $salt, $member), 0, 10));
}
}