jenkins-bot has submitted this change and it was merged.
Change subject: Fix Bug54847.php for broken hashes
......................................................................
Fix Bug54847.php for broken hashes
Change-Id: I2ceae4cda8d591af8bfe2e9d1bce645f296ba945
---
M wmf-config/Bug54847.php
1 file changed, 48 insertions(+), 41 deletions(-)
Approvals:
Hoo man: Looks good to me, approved
Legoktm: Looks good to me, but someone else must approve
jenkins-bot: Verified
diff --git a/wmf-config/Bug54847.php b/wmf-config/Bug54847.php
index ed3d4e3..6b056db 100644
--- a/wmf-config/Bug54847.php
+++ b/wmf-config/Bug54847.php
@@ -155,39 +155,53 @@
// Ensure that the user is not attempting to set their existing
password as
// the new password.
- if ( $isGlobal ) {
- $centralUser = CentralAuthUser::getInstance( $user );
- list( $salt, $crypt ) = $centralUser->getPasswordHash();
- //if ( $centralUser->matchHash( $newpassword, $salt, $crypt ) )
{
- if ( User::comparePasswords( $crypt, $newpassword, $salt ) ) {
- wfDebugLog( "Bug54847", "User attempted to reset with
CentralAuth password: " . $user->getName() );
- $errorMsg = 'password-recycled';
- return false;
- }
+ try {
+ if ( $isGlobal ) {
+ $centralUser = CentralAuthUser::getInstance( $user );
+ list( $salt, $crypt ) = $centralUser->getPasswordHash();
+ //if ( $centralUser->matchHash( $newpassword, $salt,
$crypt ) ) {
+ if ( User::comparePasswords( $crypt, $newpassword,
$salt ) ) {
+ wfDebugLog( "Bug54847", "User attempted to
reset with CentralAuth password: " . $user->getName() );
+ $errorMsg = 'password-recycled';
+ return false;
+ }
- // Next, ensure that the user is not attempting to set a
password that was on another
- // wiki that had its hash leaked
- $dbw = CentralAuthUser::getCentralDB();
- $result = $dbw->select(
- 'bug_54847_password_resets',
- array( 'r_wiki', 'r_reset' ),
- array( 'r_username' => $user->getName(),
- 'r_reset is null'
- ),
- __METHOD__
- );
+ // Next, ensure that the user is not attempting to set
a password that was on another
+ // wiki that had its hash leaked
+ $dbw = CentralAuthUser::getCentralDB();
+ $result = $dbw->select(
+ 'bug_54847_password_resets',
+ array( 'r_wiki', 'r_reset' ),
+ array( 'r_username' => $user->getName(),
+ 'r_reset is null'
+ ),
+ __METHOD__
+ );
- $affectedWikis = array();
- foreach ( $result as $row ) {
- $affectedWikis[] = $row->r_wiki;
- }
- $leakedAttached = array_intersect( $affectedWikis,
$centralUser->listAttached() );
+ $affectedWikis = array();
+ foreach ( $result as $row ) {
+ $affectedWikis[] = $row->r_wiki;
+ }
+ $leakedAttached = array_intersect( $affectedWikis,
$centralUser->listAttached() );
- foreach ( $leakedAttached as $leakedAttachedWiki ) {
- $localDB = wfGetLB( $leakedAttachedWiki
)->getConnection( DB_SLAVE , array(), $leakedAttachedWiki );
- $res = $localDB->selectRow( 'user',
+ foreach ( $leakedAttached as $leakedAttachedWiki ) {
+ $localDB = wfGetLB( $leakedAttachedWiki
)->getConnection( DB_SLAVE , array(), $leakedAttachedWiki );
+ $res = $localDB->selectRow( 'user',
+ array( 'user_password' ),
+ array( 'user_name' =>
$centralUser->mName ),
+ __METHOD__
+ );
+ if ( $res !== false && User::comparePasswords(
$res->user_password, $newpassword ) ) {
+ $errorMsg = 'password-recycled';
+ return false;
+ }
+ }
+
+ } else {
+ $dbr = wfGetDB( DB_SLAVE );
+ $res = $dbr->selectRow( 'user',
array( 'user_password' ),
- array( 'user_name' => $centralUser->mName ),
+ array( 'user_name' => $user->getName() ),
__METHOD__
);
if ( $res !== false && User::comparePasswords(
$res->user_password, $newpassword ) ) {
@@ -195,18 +209,11 @@
return false;
}
}
-
- } else {
- $dbr = wfGetDB( DB_SLAVE );
- $res = $dbr->selectRow( 'user',
- array( 'user_password' ),
- array( 'user_name' => $user->getName() ),
- __METHOD__
- );
- if ( $res !== false && User::comparePasswords(
$res->user_password, $newpassword ) ) {
- $errorMsg = 'password-recycled';
- return false;
- }
+ } catch( PasswordError $ex ) {
+ // Just ignore this: Might be that a wiki has some very old or
broken hash... not
+ // very likely that the user is using that as a password, so
just ignoring it is
+ // bearable.
+ wfDebugLog( "Bug54847", "User has invalid password (" .
$ex->getMessage() . "): " . $user->getName() );
}
// Everything looks ok, so lets assume the reset is going to go ok, and
don't flag this user in the future
--
To view, visit https://gerrit.wikimedia.org/r/181710
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I2ceae4cda8d591af8bfe2e9d1bce645f296ba945
Gerrit-PatchSet: 1
Gerrit-Project: operations/mediawiki-config
Gerrit-Branch: master
Gerrit-Owner: Hoo man <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: Hoo man <[email protected]>
Gerrit-Reviewer: Legoktm <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
