Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-38102

New password hashing method fails

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.5
    • Fix Version/s: 2.5
    • Component/s: Authentication
    • Labels:
    • Testing Instructions:
      Hide

      Not that easy, I guess you could:

      1. Add the line:

      return null;

      as the first line of the password_hash() function in lib/password_compat/lib/password.php

      2. Create a new user

      Existing behaviour

      The creation will fail with the error:

      Error writing to database
       
      More information about this error
       
      Debug info: Column 'password' cannot be null
      INSERT INTO mdl_user (username,auth,suspended,firstname,lastname,email,maildisplay,mailformat,maildigest,autosubscribe,trackforums,htmleditor,city,country,timezone,lang,imagealt,url,icq,skype,aim,yahoo,msn,idnumber,institution,department,phone1,phone2,address,timemodified,description,descriptionformat,mnethostid,confirmed,timecreated,password) VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)
      [array (
      0 => 'tests',
      1 => 'manual',
      2 => '0',
      3 => 'testets',
      4 => 'setse',
      5 => 'teses@tes.com',
      6 => '2',
      7 => '1',
      8 => '0',
      9 => '1',
      10 => '0',
      11 => '1',
      12 => 'tset',
      13 => 'AL',
      14 => '99',
      15 => 'en',
      16 => '',
      17 => '',
      18 => '',
      19 => '',
      20 => '',
      21 => '',
      22 => '',
      23 => '',
      24 => '',
      25 => '',
      26 => '',
      27 => '',
      28 => '',
      29 => 1365581538,
      30 => '',
      31 => '1',
      32 => '1',
      33 => 1,
      34 => 1365581538,
      35 => NULL,
      )]
      Error code: dmlwriteexception
      Stack trace:
      line 429 of /lib/dml/moodle_database.php: dml_write_exception thrown
      line 1089 of /lib/dml/mysqli_native_moodle_database.php: call to moodle_database->query_end()
      line 1131 of /lib/dml/mysqli_native_moodle_database.php: call to mysqli_native_moodle_database->insert_record_raw()
      line 173 of /user/editadvanced.php: call to mysqli_native_moodle_database->insert_record()
      

      Behaviour with patch

      An exception will be thrown but instead the error will be:

      error/Failed to generate password hash.
       
      More information about this error
       
      Debug info: 
      Error code: Failed to generate password hash.
      $a contents:
      Stack trace:
      line 4487 of /lib/moodlelib.php: moodle_exception thrown
      line 172 of /user/editadvanced.php: call to hash_internal_user_password()
      

      Show
      Not that easy, I guess you could: 1. Add the line: return null; as the first line of the password_hash() function in lib/password_compat/lib/password.php 2. Create a new user Existing behaviour The creation will fail with the error: Error writing to database   More information about this error   Debug info: Column 'password' cannot be null INSERT INTO mdl_user (username,auth,suspended,firstname,lastname,email,maildisplay,mailformat,maildigest,autosubscribe,trackforums,htmleditor,city,country,timezone,lang,imagealt,url,icq,skype,aim,yahoo,msn,idnumber,institution,department,phone1,phone2,address,timemodified,description,descriptionformat,mnethostid,confirmed,timecreated,password) VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?) [array ( 0 => 'tests', 1 => 'manual', 2 => '0', 3 => 'testets', 4 => 'setse', 5 => 'teses@tes.com', 6 => '2', 7 => '1', 8 => '0', 9 => '1', 10 => '0', 11 => '1', 12 => 'tset', 13 => 'AL', 14 => '99', 15 => 'en', 16 => '', 17 => '', 18 => '', 19 => '', 20 => '', 21 => '', 22 => '', 23 => '', 24 => '', 25 => '', 26 => '', 27 => '', 28 => '', 29 => 1365581538, 30 => '', 31 => '1', 32 => '1', 33 => 1, 34 => 1365581538, 35 => NULL, )] Error code: dmlwriteexception Stack trace: line 429 of /lib/dml/moodle_database.php: dml_write_exception thrown line 1089 of /lib/dml/mysqli_native_moodle_database.php: call to moodle_database->query_end() line 1131 of /lib/dml/mysqli_native_moodle_database.php: call to mysqli_native_moodle_database->insert_record_raw() line 173 of /user/editadvanced.php: call to mysqli_native_moodle_database->insert_record() Behaviour with patch An exception will be thrown but instead the error will be: error/Failed to generate password hash.   More information about this error   Debug info: Error code: Failed to generate password hash. $a contents: Stack trace: line 4487 of /lib/moodlelib.php: moodle_exception thrown line 172 of /user/editadvanced.php: call to hash_internal_user_password()
    • Affected Branches:
      MOODLE_25_STABLE
    • Fixed Branches:
      MOODLE_25_STABLE
    • Pull from Repository:
      git@github.com:totara/moodle.git
    • Pull Master Branch:
      master_MDL-38102

      Description

      On MacOS 10.7.3, PHP 5.3.8. A moodle_exception is raised while trying to hash the old MD5 password after login:

      Debug info:
      Error code: Failed to generate password hash.
      $a contents:
      Stack trace:
       
          line 4457 of /lib/moodlelib.php: moodle_exception thrown
          line 4492 of /lib/moodlelib.php: call to hash_internal_user_password()
          line 4418 of /lib/moodlelib.php: call to update_internal_user_password()
          line 62 of /auth/manual/auth.php: call to validate_internal_user_password()
          line 4199 of /lib/moodlelib.php: call to auth_plugin_manual->user_login()
          line 133 of /login/index.php: call to authenticate_user_login()
      

      • The $password passed is test
      • The $hash right before the line '$ret = crypt(...)' is: $2y$10$yKPv9N0zLo7fEzVZKV4npL
      • The $ret is then: $2rcByx51ejoM
      • And the exception is raised.

      That also made me realise that if this function returns null, which can happen, we would (try to) save a null password in the database.

      Worse case scenario we should probably output a debug developer notice and fallback on the MD5() to prevent websites to be broken because of an empty hash.

      I don't have the logs here any more, but I'll post more details here if I have more information.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Votes:
                  1 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Fix Release Date:
                    14/May/13