From 2e909bcb5f0d8603fb3e8d4deb325eaa32d2f7fa Mon Sep 17 00:00:00 2001 From: "James D. Forrester" Date: Fri, 12 Jul 2019 16:44:38 -0700 Subject: [PATCH] Drop wgPasswordSalt, deprecated since 1.24 Depends-On: Ic9952a1bd8563f218c3c581d4b206ebd6c6c9c44 Change-Id: I8b1d43aba62859645221caf5ff340903e4d61787 --- RELEASE-NOTES-1.34 | 2 ++ includes/DefaultSettings.php | 6 ------ .../auth/LocalPasswordPrimaryAuthenticationProvider.php | 6 +----- .../LocalPasswordPrimaryAuthenticationProviderTest.php | 9 --------- 4 files changed, 3 insertions(+), 20 deletions(-) diff --git a/RELEASE-NOTES-1.34 b/RELEASE-NOTES-1.34 index 57d635e5ef..2809d38365 100644 --- a/RELEASE-NOTES-1.34 +++ b/RELEASE-NOTES-1.34 @@ -70,6 +70,8 @@ For notes on 1.33.x and older releases, see HISTORY. * $wgDebugPrintHttpHeaders - The default of including HTTP headers in the debug log channel is no longer configurable. The debug log itself remains configurable via $wgDebugLogFile. +* $wgPasswordSalt – This setting, used for migrating exceptionally old, insecure + password setups and deprecated since 1.24, is now removed. === New user-facing features in 1.34 === * Special:Mute has been added as a quick way for users to block unwanted emails diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php index 107c546724..6a1f7b53c4 100644 --- a/includes/DefaultSettings.php +++ b/includes/DefaultSettings.php @@ -4710,12 +4710,6 @@ $wgRemoveCredentialsBlacklist = [ \MediaWiki\Auth\PasswordAuthenticationRequest::class, ]; -/** - * For compatibility with old installations set to false - * @deprecated since 1.24 will be removed in future - */ -$wgPasswordSalt = true; - /** * Specifies the minimal length of a user password. If set to 0, empty pass- * words are allowed. diff --git a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php index 7d02a826b1..aebfb226e5 100644 --- a/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php +++ b/includes/auth/LocalPasswordPrimaryAuthenticationProvider.php @@ -113,11 +113,7 @@ class LocalPasswordPrimaryAuthenticationProvider // Check for *really* old password hashes that don't even have a type // The old hash format was just an md5 hex hash, with no type information if ( preg_match( '/^[0-9a-f]{32}$/', $row->user_password ) ) { - if ( $this->config->get( 'PasswordSalt' ) ) { - $row->user_password = ":B:{$row->user_id}:{$row->user_password}"; - } else { - $row->user_password = ":A:{$row->user_password}"; - } + $row->user_password = ":B:{$row->user_id}:{$row->user_password}"; } $status = $this->checkPasswordValidity( $username, $req->password ); diff --git a/tests/phpunit/includes/auth/LocalPasswordPrimaryAuthenticationProviderTest.php b/tests/phpunit/includes/auth/LocalPasswordPrimaryAuthenticationProviderTest.php index 6d831f6a0a..4f875ce861 100644 --- a/tests/phpunit/includes/auth/LocalPasswordPrimaryAuthenticationProviderTest.php +++ b/tests/phpunit/includes/auth/LocalPasswordPrimaryAuthenticationProviderTest.php @@ -336,15 +336,6 @@ class LocalPasswordPrimaryAuthenticationProviderTest extends \MediaWikiTestCase ); // Correct handling of really old password hashes - $this->config->set( 'PasswordSalt', false ); - $password = md5( 'FooBar' ); - $dbw->update( 'user', [ 'user_password' => $password ], [ 'user_name' => $userName ] ); - $req->password = 'FooBar'; - $this->assertEquals( - AuthenticationResponse::newPass( $userName ), - $provider->beginPrimaryAuthentication( $reqs ) - ); - $this->config->set( 'PasswordSalt', true ); $password = md5( "$id-" . md5( 'FooBar' ) ); $dbw->update( 'user', [ 'user_password' => $password ], [ 'user_name' => $userName ] ); -- 2.20.1