T127420.patch
csteipp (Chris Steipp)
Actions

Authored By

	csteipp
	Feb 22 2016, 8:51 PM

Size

1 KB

Referenced Files

None

Subscribers

None

T127420.patch
View Options

	From a9ee28263f1bf50970a5a475f90e5da22b481253 Mon Sep 17 00:00:00 2001
	From: csteipp <csteipp@wikimedia.org>
	Date: Mon, 22 Feb 2016 12:50:40 -0800
	Subject: [PATCH] SECURITY: Throw exception on unknown hash algorithm

	To prevent a bad password configuration from accidentally allowing
	users to bypass authentication, throw an exception if either hash_hmac
	or hash_pbkdf2 return false.

	Bug: T127420
	Change-Id: If3664941236e4065eb8db11b0a211fd6210de631
	---
	includes/password/Pbkdf2Password.php \| 10 ++++++++++
	1 file changed, 10 insertions(+)

	diff --git a/includes/password/Pbkdf2Password.php b/includes/password/Pbkdf2Password.php
	index 8ef6f8d..a36e248 100644
	--- a/includes/password/Pbkdf2Password.php
	+++ b/includes/password/Pbkdf2Password.php
	@@ -55,6 +55,11 @@ class Pbkdf2Password extends ParameterizedPassword {
	(int)$this->params['length'],
	true
	);
	+ if ( $hash === false ) {
	+ throw new InvalidArgumentException(
	+ "Unknown hash algorithm: {$this->params['algo']}"
	+ );
	+ }
	} else {
	$hashLen = strlen( hash( $this->params['algo'], '', true ) );
	$blockCount = ceil( $this->params['length'] / $hashLen );
	@@ -68,6 +73,11 @@ class Pbkdf2Password extends ParameterizedPassword {
	$password,
	true
	);
	+ if ( $roundTotal === false ) {
	+ throw new InvalidArgumentException(
	+ "Unknown hash algorithm: {$this->params['algo']}"
	+ );
	+ }

	for ( $j = 1; $j < $this->params['rounds']; ++$j ) {
	$lastRound = hash_hmac( $this->params['algo'], $lastRound, $password, true );
	--
	2.6.2