Fixed phpBB3 password validation fails in some scenarios

Kirby

Well-known member
Affected version
2.2.9
The string unsed in phpBB for generating the password hash is not the raw user input.

Buried somewhat deep in phpBB input handling:
phpbb\request\type_cast_helper::set_var

PHP:
public function set_var(&$result, $var, $type, $multibyte = false, $trim = true)
{
    settype($var, $type);
    $result = $var;

    if ($type == 'string')
    {
        $result = str_replace(array("\r\n", "\r", "\0"), array("\n", "\n", ''), $result);

        if ($trim)
        {
            $result = trim($result);
        }

        $result = htmlspecialchars($result, ENT_COMPAT, 'UTF-8');

        if ($multibyte)
        {
            $result = utf8_normalize_nfc($result);
        }

        if (!empty($result))
        {
            // Make sure multibyte characters are wellformed
            if ($multibyte)
            {
                if (!preg_match('/^./u', $result))
                {
                    $result = '';
                }
            }
            else
            {
                // no multibyte, allow only ASCII (0-127)
                $result = preg_replace('/[\x80-\xFF]/', '?', $result);
            }
        }

        $result = ($this->strip) ? stripslashes($result) : $result;
    }
}

The preprocessing performed by this method causes validation to fail in XenForo as XenForo calculates the hash on raw user input.

$2y$10$Ij7U22PnYRa7MHgB99AjA.M2LncBiMc2CeqUSxDbZAcd46o31bXq2

This example hash for password TestäöüÄÖÜ!& taken from phpBB fails validation in XenForo.

Adding
PHP:
$password = str_replace(array("\r\n", "\r", "\0"), array("\n", "\n", ''), $password);
$password = htmlspecialchars($password, ENT_COMPAT, 'UTF-8');

if (!\Normalizer::isNormalized($password))
{
        $password = \Normalizer::normalize($password);
}
to XF\Authentication\PhpBb3::authenticate() before calculating the hash seems to fix this.
 
Thank you for reporting this issue, it has now been resolved. We are aiming to include any changes that have been made in a future XF release (2.2.11).

Change log:
Implement suggested password normalization for PhpBb3 authentication
There may be a delay before changes are rolled out to the XenForo Community.
 
Back
Top Bottom