https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40824
--- Comment #20 from David Cook <[email protected]> --- I keep looking at Koha/PatronPasswordHistory.pm and the store method there... And I feel like there might be a subtle bug here, but I'm not sure yet. If the password hasn't been saved in the password history, we check if it's already Bcrypt hashed, and if it's not then we try to hash it. But... it's possible for the old password to still be a MD5 hash. Looking at Koha::Patron... I think for older Koha systems your password history would be incorrect for the older passwords. I think there's danger in using a line like this: + if ( $password && $password !~ /\$2a\$/ ) { Because at some point we also want to upgrade passwords from Bcrypt to Argon, and this will probably be a bit of a pain to find. So... I'm a bit wary of this bit of code. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
