[Rt-commit] rt branch, 4.0/non-ascii-password, created. rt-4.0.19-42-g2d3e94c

Wallace Reis wreis at bestpractical.com
Mon Feb 24 15:43:29 EST 2014 

The branch, 4.0/non-ascii-password has been created
        at  2d3e94ce9b2a32a274cf7eea94434c2d2b199602 (commit)

- Log -----------------------------------------------------------------
commit 60dc4b166da34da6d87d956ff1c87cf08d83e412
Author: Wallace Reis <wreis at bestpractical.com>
Date:   Mon Feb 24 16:55:19 2014 -0300

    I#28784: Tests for non-ASCII character in password
    
    Reproduce the following error:
    
      Wide character in subroutine entry at lib/RT/User.pm line 1002.

diff --git a/t/api/password-types.t b/t/api/password-types.t
index e5155e3..10a874a 100644
--- a/t/api/password-types.t
+++ b/t/api/password-types.t
@@ -3,6 +3,8 @@ use warnings;
 
 use RT::Test;
 use Digest::MD5;
+use Encode 'encode_utf8';
+use utf8;
 
 my $default = "sha512";
 
@@ -38,3 +40,12 @@ my $trunc = MIME::Base64::encode_base64(
 $root->_Set( Field => "Password", Value => $trunc);
 ok($root->IsPassword("secret"), "Unsalted MD5 base64 works");
 like($root->__Value("Password"), qr/^\!$default\!/, "And is now upgraded to salted $default");
+
+# Non-ASCII salted truncated SHA-256
+my $non_ascii_trunc = MIME::Base64::encode_base64(
+    "salt" . substr(Digest::SHA::sha256("salt".Digest::MD5::md5(encode_utf8("áěšý"))),0,26),
+    ""
+);
+$root->_Set( Field => "Password", Value => $non_ascii_trunc);
+ok($root->IsPassword("áěšý"), "Unsalted MD5 base64 works");
+like($root->__Value("Password"), qr/^\!$default\!/, "And is now upgraded to salted $default");

commit 2d3e94ce9b2a32a274cf7eea94434c2d2b199602
Author: Wallace Reis <wreis at bestpractical.com>
Date:   Mon Feb 24 17:33:04 2014 -0300

    I#28784: Handle non-ASCII character in passwod
    
    The md5 method expects a sequence of bytes.

diff --git a/lib/RT/User.pm b/lib/RT/User.pm
index d0f7523..95fe9a2 100644
--- a/lib/RT/User.pm
+++ b/lib/RT/User.pm
@@ -957,7 +957,7 @@ sub IsPassword {
         my $hash = MIME::Base64::decode_base64($stored);
         # Decoding yields 30 byes; first 4 are the salt, the rest are substr(SHA256,0,26)
         my $salt = substr($hash, 0, 4, "");
-        return 0 unless substr(Digest::SHA::sha256($salt . Digest::MD5::md5($value)), 0, 26) eq $hash;
+        return 0 unless substr(Digest::SHA::sha256($salt . Digest::MD5::md5(encode_utf8($value))), 0, 26) eq $hash;
     } elsif (length $stored == 32) {
         # Hex nonsalted-md5
         return 0 unless Digest::MD5::md5_hex(encode_utf8($value)) eq $stored;

-----------------------------------------------------------------------

More information about the rt-commit mailing list