Merge "Add CollationFa"

[lhc/web/wiklou.git] / includes / user / BotPassword.php

diff --git a/includes/user/BotPassword.php b/includes/user/BotPassword.php
index 0bbe12e..57610fc 100644 (file)
--- a/includes/user/BotPassword.php
+++ b/includes/user/BotPassword.php
@@ -68,7 +68,7 @@ class BotPassword implements IDBAccessObject {
        /**
         * Get a database connection for the bot passwords database
         * @param int $db Index of the connection to get, e.g. DB_MASTER or DB_REPLICA.
-        * @return DatabaseBase
+        * @return Database
         */
        public static function getDB( $db ) {
                global $wgBotPasswordsCluster, $wgBotPasswordsDatabase;
@@ -411,11 +411,13 @@ class BotPassword implements IDBAccessObject {
         */
        public static function canonicalizeLoginData( $username, $password ) {
                $sep = BotPassword::getSeparator();
-               if ( strpos( $username, $sep ) !== false ) {
-                       // the separator is not valid in usernames so this must be a bot login
-                       return [ $username, $password, false ];
+               // the strlen check helps minimize the password information obtainable from timing
+               if ( strlen( $password ) >= 32 && strpos( $username, $sep ) !== false ) {
+                       // the separator is not valid in new usernames but might appear in legacy ones
+                       if ( preg_match( '/^[0-9a-w]{32,}$/', $password ) ) {
+                               return [ $username, $password, true ];
+                       }
                } elseif ( strlen( $password ) > 32 && strpos( $password, $sep ) !== false ) {
-                       // the strlen check helps minimize the password information obtainable from timing
                        $segments = explode( $sep, $password );
                        $password = array_pop( $segments );
                        $appId = implode( $sep, $segments );