Bug 11944: Authentication

The password should be encoded before hashing.

Test plan:
- Before applying the patch, create a user with utf-8 in password
- apply patches
- try to log in
- change the password
- log out
- try to log in

Signed-off-by: Paola Rossi <paola.rossi@cineca.it>
Signed-off-by: Bernardo Gonzalez Kriegel <bgkriegel@gmail.com>
Signed-off-by: Dobrica Pavlinusic <dpavlin@rot13.org>
Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>

diff --git a/C4/Auth.pm b/C4/Auth.pm
index b808c66..493c8df 100644 (file)
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -34,6 +34,7 @@ use C4::VirtualShelves;
 use Koha::AuthUtils qw(hash_password);
 use POSIX qw/strftime/;
 use List::MoreUtils qw/ any /;
+use Encode qw( encode is_utf8);
 
 # use utf8;
 use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS $debug $ldap $cas $caslogout $shib $shib_login);
@@ -1650,6 +1651,9 @@ sub checkpw {
 sub checkpw_internal {
     my ( $dbh, $userid, $password ) = @_;
 
+    $password = Encode::encode( 'UTF-8', $password )
+      if Encode::is_utf8($password);
+
     if ( $userid && $userid eq C4::Context->config('user') ) {
         if ( $password && $password eq C4::Context->config('pass') ) {
         # Koha superuser account

diff --git a/Koha/AuthUtils.pm b/Koha/AuthUtils.pm
index a8024d9..b748c1b 100644 (file)
--- a/Koha/AuthUtils.pm
+++ b/Koha/AuthUtils.pm
@@ -19,6 +19,7 @@ package Koha::AuthUtils;
 
 use Modern::Perl;
 use Crypt::Eksblowfish::Bcrypt qw(bcrypt en_base64);
+use Encode qw( encode is_utf8 );
 use Fcntl qw/O_RDONLY/; # O_RDONLY is used in generate_salt
 
 use base 'Exporter';
@@ -51,6 +52,8 @@ user passwords.
 # Using Bcrypt method for hashing. This can be changed to something else in future, if needed.
 sub hash_password {
     my $password = shift;
+    $password = Encode::encode( 'UTF-8', $password )
+      if Encode::is_utf8($password);
 
     # Generate a salt if one is not passed
     my $settings = shift;