Fixed IpsForums3x authentication does not handle failure gracefully

Xon

Well-known member
Affected version
2.0.10
  • ErrorException: [E_WARNING] hash_equals(): Expected known_string to be a string, null given
  • src/XF/Util/Php.php:238
  • Generated by: Unknown account
  • Oct 17, 2018 at 2:35 PM
Stack trace
#0 [internal function]: XF::handlePhpError(2, '[E_WARNING] has...', '/home/rpnation/...', 238, Array)
#1 src/XF/Util/Php.php(238): hash_equals(NULL, '3952d887d95bd48...')
#2 src/XF/Authentication/IpsForums3x.php(35): XF\Util\Php::hashEquals(NULL, '3952d887d95bd48...')
#3 src/XF/Entity/UserAuth.php(27): XF\Authentication\IpsForums3x->authenticate(1640, '....')
#4 src/XF/Service/User/Login.php(122): XF\Entity\UserAuth->authenticate('....')
#5 src/XF/Pub/Controller/Login.php(84): XF\Service\User\Login->validate('....', NULL)
#6 src/XF/Mvc/Dispatcher.php(249): XF\Pub\Controller\Login->actionLogin(Object(XF\Mvc\ParameterBag))
#7 src/XF/Mvc/Dispatcher.php(88): XF\Mvc\Dispatcher->dispatchClass('XF:Login', 'Login', 'html', Object(XF\Mvc\ParameterBag), '', Object(XF\Pub\Controller\Login), NULL)
#8 src/XF/Mvc/Dispatcher.php(41): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#9 src/XF/App.php(1931): XF\Mvc\Dispatcher->run()
#10 src/XF.php(329): XF\App->run()
#11 index.php(13): XF::runApp('XF\\Pub\\App')
#12 {main}

(Password isn't '....' but it isn't actually that much better)

In XF\Authentication\IpsForums3x::authenticate
PHP:
if (!is_string($password) || $password === '' || empty($this->data))
{
   return false;
}

Should be (like IpsForums4x);
PHP:
if (!is_string($password) || $password === '' || empty($this->data) || !$this->data['hash'])
{
   return false;
}
 
Thank you for reporting this issue. The issue is now resolved and we are aiming to include that in the next XF release (2.0.11).

Change log:
Check for missing hash in IPSForums3x authent…
 
Back
Top Bottom