Tickets :: [#3739] customsql auth driver does not work with encryption schemes using salt

6.0.0-beta1

9/10/25

Summary	customsql auth driver does not work with encryption schemes using salt
Queue	Horde Framework Packages
Queue Version	HEAD
Type	Bug
State	Resolved
Priority	1. Low
Owners	Horde Developers (at) , chuck (at) horde (dot) org
Requester	dorm (at) dorm (dot) org
Created	04/05/2006 (7098 days ago)
Due
Updated	05/24/2006 (7049 days ago)
Assigned	04/08/2006 (7095 days ago)
Resolved	05/22/2006 (7051 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch	No

05/24/2006 10:09:57 PM	Chuck Hagenbuch	Comment #7	Reply to this comment
:P

05/24/2006 10:06:21 PM	dorm (at) dorm (dot) org	Comment #6	Reply to this comment
One more. :) Variables names in PHP are case sensitive. @@ -298,7 +298,7 @@ { /* Retrieve the old password in case we need the salt. */ $query = $this->_params['query_getpw']; - $query = str_replace('\L', $this->_db->quote($userID), $query); + $query = str_replace('\L', $this->_db->quote($userId), $query); $pw = $this->_db->getOne($query); if (is_a($pw, 'PEAR_Error')) { Horde::logMessage($pw, __FILE__, __LINE__, PEAR_LOG_ERR);

05/23/2006 10:37:11 PM	Chuck Hagenbuch	Comment #5	Reply to this comment
Ugh, indeed. Fixes are committed, thanks.

05/23/2006 04:06:52 PM	dorm (at) dorm (dot) org	Comment #4	Reply to this comment
Looks good, but I think there are a couple typos. See patch below. --- customsql.php.1.24 2006-05-23 09:43:00.636912864 -0600 +++ customsql.php 2006-05-23 09:48:52.369441392 -0600 @@ -113,7 +113,7 @@ $query = str_replace('\L', $this->_db->quote($userId), $query); $query = str_replace('\P', $this->_db->quote($this->getCryptedPassword( $credentials['password'], - $this->_getPassword(), + $this->_getPassword($userId), $this->_params['encryption'], $this->_params['show_encryption'])), $query); @@ -298,7 +298,7 @@ { /* Retrieve the old password in case we need the salt. */ $query = $this->_params['query_getpw']; - $query = str_replace('\L', $this->_db->quote($oldID), $query); + $query = str_replace('\L', $this->_db->quote($userId), $query); $pw = $this->_db->getOne($query); if (is_a($pw, 'PEAR_Error')) { Horde::logMessage($pw, __FILE__, __LINE__, PEAR_LOG_ERR);

05/22/2006 04:07:44 AM	Chuck Hagenbuch	Comment #3 State ⇒ Resolved	Reply to this comment
I've fixed it by adding a more general getpw method - please take a look in CVS.

05/18/2006 08:54:39 PM	Chuck Hagenbuch	Assigned to Chuck Hagenbuch

05/02/2006 10:14:27 PM	dorm (at) dorm (dot) org	Comment #2 New Attachment: customsql.php.1.16.10.8.patch	Reply to this comment
This backend also does not check if a userId exists before creating the user. This can lead to duplicate user accounts in the DB. Not sure if backends are supposed to do this or not... but admin/users.php doesn't check, so I thought it would fit here. Attached is a patch against 1.16.10.8 that fixes both issues in this bug.

04/08/2006 09:36:16 AM	Jan Schneider	Assigned to Horde Developers State ⇒ Assigned

04/05/2006 05:31:36 PM	dorm (at) dorm (dot) org	Comment #1 Priority ⇒ 1. Low Type ⇒ Bug Summary ⇒ customsql auth driver does not work with encryption schemes using salt Queue ⇒ Horde Framework Packages State ⇒ Unconfirmed	Reply to this comment
The customsql auth driver does not work with encryption schemes using a salt. This is because the salt used for the current encrypted password is required in order to validate the plaintext password entered by the user. customsql.php calls Auth::getCryptedPassword with a salt value of '', and then authentication fails. It needs to query the encrypted password from the DB and use that value in the Auth::getCryptedPassword call. This adds an extra SQL query, but it is necessary to get the current salt.