Fixed IpsForums3x authentication does not handle failure gracefully

[Xon]

Affected version

2.0.10

• ErrorException: [E_WARNING] hash_equals(): Expected known_string to be a string, null given
• src/XF/Util/Php.php:238
• Generated by: Unknown account
• Oct 17, 2018 at 2:35 PM

Stack trace
#0 [internal function]: XF::handlePhpError(2, '[E_WARNING] has...', '/home/rpnation/...', 238, Array)
#1 src/XF/Util/Php.php(238): hash_equals(NULL, '3952d887d95bd48...')
#2 src/XF/Authentication/IpsForums3x.php(35): XF\Util\Php::hashEquals(NULL, '3952d887d95bd48...')
#3 src/XF/Entity/UserAuth.php(27): XF\Authentication\IpsForums3x->authenticate(1640, '....')
#4 src/XF/Service/User/Login.php(122): XF\Entity\UserAuth->authenticate('....')
#5 src/XF/Pub/Controller/Login.php(84): XF\Service\User\Login->validate('....', NULL)
#6 src/XF/Mvc/Dispatcher.php(249): XF\Pub\Controller\Login->actionLogin(Object(XF\Mvc\ParameterBag))
#7 src/XF/Mvc/Dispatcher.php(88): XF\Mvc\Dispatcher->dispatchClass('XF:Login', 'Login', 'html', Object(XF\Mvc\ParameterBag), '', Object(XF\Pub\Controller\Login), NULL)
#8 src/XF/Mvc/Dispatcher.php(41): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#9 src/XF/App.php(1931): XF\Mvc\Dispatcher->run()
#10 src/XF.php(329): XF\App->run()
#11 index.php(13): XF::runApp('XF\\Pub\\App')
#12 {main}

(Password isn't '....' but it isn't actually that much better)

In XF\Authentication\IpsForums3x::authenticate

if (!is_string($password) || $password === '' || empty($this->data))
{
   return false;
}

Should be (like IpsForums4x);

if (!is_string($password) || $password === '' || empty($this->data) || !$this->data['hash'])
{
   return false;
}

 

[XF Bug Bot]

Thank you for reporting this issue. The issue is now resolved and we are aiming to include that in the next XF release (2.0.11).

Change log:

Check for missing hash in IPSForums3x authent…