From fe1e6d86cadb9002c8e25d9787b0a7a0065c79dd Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Mon, 7 Apr 2014 16:45:59 +0200 Subject: [PATCH] Bug 11944: Authentication The password should be encoded before hashing. Test plan: - Before applying the patch, create a user with utf-8 in password - apply patches - try to log in - change the password - log out - try to log in Signed-off-by: Paola Rossi Signed-off-by: Bernardo Gonzalez Kriegel Signed-off-by: Dobrica Pavlinusic Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi --- C4/Auth.pm | 4 ++++ Koha/AuthUtils.pm | 3 +++ 2 files changed, 7 insertions(+) diff --git a/C4/Auth.pm b/C4/Auth.pm index b808c663b5..493c8dfc3d 100644 --- a/C4/Auth.pm +++ b/C4/Auth.pm @@ -34,6 +34,7 @@ use C4::VirtualShelves; use Koha::AuthUtils qw(hash_password); use POSIX qw/strftime/; use List::MoreUtils qw/ any /; +use Encode qw( encode is_utf8); # use utf8; use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout $shib $shib_login); @@ -1650,6 +1651,9 @@ sub checkpw { sub checkpw_internal { my ( $dbh, $userid, $password ) = @_; + $password = Encode::encode( 'UTF-8', $password ) + if Encode::is_utf8($password); + if ( $userid && $userid eq C4::Context->config('user') ) { if ( $password && $password eq C4::Context->config('pass') ) { # Koha superuser account diff --git a/Koha/AuthUtils.pm b/Koha/AuthUtils.pm index a8024d928f..b748c1becc 100644 --- a/Koha/AuthUtils.pm +++ b/Koha/AuthUtils.pm @@ -19,6 +19,7 @@ package Koha::AuthUtils; use Modern::Perl; use Crypt::Eksblowfish::Bcrypt qw(bcrypt en_base64); +use Encode qw( encode is_utf8 ); use Fcntl qw/O_RDONLY/; # O_RDONLY is used in generate_salt use base 'Exporter'; @@ -51,6 +52,8 @@ user passwords. # Using Bcrypt method for hashing. This can be changed to something else in future, if needed. sub hash_password { my $password = shift; + $password = Encode::encode( 'UTF-8', $password ) + if Encode::is_utf8($password); # Generate a salt if one is not passed my $settings = shift; -- 2.39.5