summaryrefslogtreecommitdiffstats
path: root/Bugzilla/Auth/Verify
diff options
context:
space:
mode:
authorReed Loden <reed@reedloden.com>2012-12-31 22:51:11 +0100
committerReed Loden <reed@reedloden.com>2012-12-31 22:51:11 +0100
commit4663186fdcb2ac1142d3697e27a8f67ce3c92510 (patch)
treefe2720a0c265ca480cb425b83ff6585ec081df65 /Bugzilla/Auth/Verify
parenta9fb9c4b84b21f01a9bfea6eea13ee1b27435ca6 (diff)
downloadbugzilla-4663186fdcb2ac1142d3697e27a8f67ce3c92510.tar.gz
bugzilla-4663186fdcb2ac1142d3697e27a8f67ce3c92510.tar.xz
Bug 785283 - Support increased values for PASSWORD_SALT_LENGTH without breaking compat with old hashes
[r=LpSolit a=LpSolit]
Diffstat (limited to 'Bugzilla/Auth/Verify')
-rw-r--r--Bugzilla/Auth/Verify/DB.pm13
1 files changed, 12 insertions, 1 deletions
diff --git a/Bugzilla/Auth/Verify/DB.pm b/Bugzilla/Auth/Verify/DB.pm
index 2ad98874d..82fa662dc 100644
--- a/Bugzilla/Auth/Verify/DB.pm
+++ b/Bugzilla/Auth/Verify/DB.pm
@@ -66,11 +66,22 @@ sub check_credentials {
Bugzilla::Token::DeletePasswordTokens($user->id, "user_logged_in");
$user->clear_login_failures();
+ my $update_password = 0;
+
# If their old password was using crypt() or some different hash
# than we're using now, convert the stored password to using
# whatever hashing system we're using now.
my $current_algorithm = PASSWORD_DIGEST_ALGORITHM;
- if ($real_password_crypted !~ /{\Q$current_algorithm\E}$/) {
+ $update_password = 1 if ($real_password_crypted !~ /{\Q$current_algorithm\E}$/);
+
+ # If their old password was using a different length salt than what
+ # we're using now, update the password to use the new salt length.
+ if ($real_password_crypted =~ /^([^,]+),/) {
+ $update_password = 1 if (length($1) != PASSWORD_SALT_LENGTH);
+ }
+
+ # If needed, update the user's password.
+ if ($update_password) {
$user->set_password($password);
$user->update();
}