From 12643aa745e3d7a49c4a42e3e5fed4e6910e12a2 Mon Sep 17 00:00:00 2001 From: Srdjan Date: Mon, 26 Aug 2013 17:01:20 +1200 Subject: [PATCH] bug 9611: use checkpw_hash() instead of md5 hash for SIP2 logins Test: * SIP: Have an old user and create a new user - use either tenet sip test or C4/SIP/interactive_patron_check_password.pl to check old userid/password - do the same for the new user Signed-off-by: Bernardo Gonzalez Kriegel Work as described Test 1) using perl C4/SIP/interactive_patron_check_password.pl can check current (short) and new (long) passwords Signed-off-by: Kyle M Hall Signed-off-by: Galen Charlton --- C4/SIP/ILS/Patron.pm | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/C4/SIP/ILS/Patron.pm b/C4/SIP/ILS/Patron.pm index b9f06599e4..1155d51956 100644 --- a/C4/SIP/ILS/Patron.pm +++ b/C4/SIP/ILS/Patron.pm @@ -21,8 +21,8 @@ use C4::Koha; use C4::Members; use C4::Reserves; use C4::Branch qw(GetBranchName); -use Digest::MD5 qw(md5_base64); use C4::Items qw( GetBarcodeFromItemnumber GetItemnumbersForBiblio); +use C4::Auth qw(checkpw_hash); our $VERSION = 3.07.00.049; @@ -40,7 +40,7 @@ sub new { } $kp = GetMemberDetails($kp->{borrowernumber}); $debug and warn "new Patron (GetMemberDetails): " . Dumper($kp); - my $pw = $kp->{password}; ### FIXME - md5hash -- deal with . + my $pw = $kp->{password}; my $flags = $kp->{flags}; # or warn "Warning: No flags from patron object for '$patron_id'"; my $debarred = defined($kp->{flags}->{DBARRED}); $debug and warn sprintf("Debarred = %s : ", ($debarred||'undef')) . Dumper(%{$kp->{flags}}); @@ -189,11 +189,13 @@ sub AUTOLOAD { sub check_password { my ($self, $pwd) = @_; - my $md5pwd = $self->{password}; + defined $pwd or return 0; # you gotta give me something (at least ''), or no deal + + my $hashed_pwd = $self->{password}; + defined $hashed_pwd or return $pwd eq ''; # if the record has a NULL password, accept '' as match + # warn sprintf "check_password for %s: '%s' vs. '%s'",($self->{name}||''),($self->{password}||''),($pwd||''); - (defined $pwd ) or return 0; # you gotta give me something (at least ''), or no deal - (defined $md5pwd) or return($pwd eq ''); # if the record has a NULL password, accept '' as match - return (md5_base64($pwd) eq $md5pwd); + return checkpw_hash($pwd, $hashed_pwd); } # A few special cases, not in AUTOLOADed %fields -- 2.39.5