(2015-06-11, 02:22 PM)cronhound Wrote: [ -> ] (2015-06-11, 02:19 PM)Ad Bakker Wrote: [ -> ] (2015-06-11, 04:48 AM)cronhound Wrote: [ -> ]Basically, I'm looking for the random md5 that gets used when the user updates their password, from what I can tell, the password is changed through the "user" datahandler.
md5 is a regular php function.
I am aware that md5 is a regular php function.
I am asking where the function is used.
I have a slight suspicion as to what the problem is, I'll check and edit this post with the results.
in member.php and inc/functions.php
(2015-06-11, 02:25 PM)Ad Bakker Wrote: [ -> ] (2015-06-11, 02:22 PM)cronhound Wrote: [ -> ] (2015-06-11, 02:19 PM)Ad Bakker Wrote: [ -> ] (2015-06-11, 04:48 AM)cronhound Wrote: [ -> ]Basically, I'm looking for the random md5 that gets used when the user updates their password, from what I can tell, the password is changed through the "user" datahandler.
md5 is a regular php function.
I am aware that md5 is a regular php function.
I am asking where the function is used.
I have a slight suspicion as to what the problem is, I'll check and edit this post with the results.
in member.php and inc/functions.php
To clarify, again: where the function is used in relation to the usercp's change password feature.
I think inc/datahandlers/user.php line 205 and on
user_cp -> validate_user -> verify_password
(2015-06-11, 02:40 PM)Ad Bakker Wrote: [ -> ]I think inc/datahandlers/user.php line 205 and on
Yep. That is what I thought, until I
modified the file, removing the md5 function completely. Yet the password is still getting stored in the database as md5 for no apparent reason.
This is the only part of my code that I have converted to bcrypt, that does not work.
I would do some debugging to follow the program flow, I do not see how this can be done elsewhere.
check line 115 of inc/functions_user.php
(2015-06-11, 02:55 PM)mikeorman Wrote: [ -> ]check line 115 of inc/functions_user.php
I do not see that in the line of flow, but perhaps I'm wrong. That's why I would do some debugging.
(2015-06-11, 02:51 PM)Ad Bakker Wrote: [ -> ]I would do some debugging to follow the program flow, I do not see how this can be done elsewhere.
Doing that right now. I added a 'var_dump(debug_backtrace());die();' after '$plugins->run_hooks("usercp_do_password_end");' in usercp.php, but at that point it still appears to be using bcrypt
Array
(
[0] => Array
(
[file] => /var/www/lewd.sx/mybb/usercp.php
[line] => 1321
[function] => update_user
[class] => UserDataHandler
[object] => UserDataHandler Object
(
[language_file] => datahandler_user
[language_prefix] => userdata
[user_insert_data] => Array
(
)
[user_update_data] => Array
(
[password] => MY BCRYPT HASH
[salt] =>
[loginkey] => MY LOGIN KEY
)
[uid] => 1
[return_values] => Array
(
)
[data] => Array
(
[uid] => 1
[password] => MY PLAINTEXT PASSWORD
[password2] => MY PLAINTEXT PASSWORD
[saltedpw] => MY BCRYPT HASH
[loginkey] => MY LOGIN KEY
)
[is_validated] => 1
[errors] => Array
(
)
[admin_override] =>
[method] => update
)
[type] => ->
[args] => Array
(
)
)
)
(2015-06-11, 02:55 PM)mikeorman Wrote: [ -> ]check line 115 of inc/functions_user.php
I have modified that section and it should no longer be using md5:
https://github.com/lewd-sx/lewd.sx/blob/...#L115,L143
Alright guys, I think I've found the issue, it'll be mildly hilarious if i'm correct. gimme a sec.
Yep, definitely found it.
mikeorman, you were half right while being wrong.
What was happening was:
When I was updating the password, I wasn't assigning a new salt, thinking that it wasn't needed because I don't use salted md5 anymore.
Then, when my users were logging in, MyBB would notice that there's no salt and assume it was plain md5. So it would then "update" the password by salting the "md5" hash (which was really a bcrypt hash).
So this was more or less a pebkac error. I have a fix in place, which will do until I deprecate the md5 hashes completely within the next day or so.