X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/8a06f4f9392d1ac373442f82ee40428a3cb81395..a7cd4c052013b423c6301153f68c7fdbaa2a447b:/wp-includes/class-phpass.php?ds=inline

diff --git a/wp-includes/class-phpass.php b/wp-includes/class-phpass.php
index 70f9bdf5..f2dadae3 100644
--- a/wp-includes/class-phpass.php
+++ b/wp-includes/class-phpass.php
@@ -2,14 +2,14 @@
 /**
  * Portable PHP password hashing framework.
  * @package phpass
- * @since 2.5
- * @version 0.1
+ * @since 2.5.0
+ * @version 0.3 / WordPress
  * @link http://www.openwall.com/phpass/
  */
 
 #
 # Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
-# the public domain.
+# the public domain.  Revised in subsequent years, still public domain.
 #
 # There's absolutely no warranty.
 #
@@ -29,9 +29,9 @@
  * Portable PHP password hashing framework.
  *
  * @package phpass
- * @version 0.1 / genuine
+ * @version 0.3 / WordPress
  * @link http://www.openwall.com/phpass/
- * @since 2.5
+ * @since 2.5.0
  */
 class PasswordHash {
 	var $itoa64;
@@ -49,14 +49,14 @@ class PasswordHash {
 
 		$this->portable_hashes = $portable_hashes;
 
-		$this->random_state = microtime() . (function_exists('getmypid') ? getmypid() : '') . uniqid(rand(), TRUE);
-	
+		$this->random_state = microtime() . uniqid(rand(), TRUE); // removed getmypid() for compatibility reasons
 	}
 
 	function get_random_bytes($count)
 	{
 		$output = '';
-		if (($fh = @fopen('/dev/urandom', 'rb'))) {
+		if ( @is_readable('/dev/urandom') &&
+		    ($fh = @fopen('/dev/urandom', 'rb'))) {
 			$output = fread($fh, $count);
 			fclose($fh);
 		}
@@ -114,7 +114,9 @@ class PasswordHash {
 		if (substr($setting, 0, 2) == $output)
 			$output = '*1';
 
-		if (substr($setting, 0, 3) != '$P$')
+		$id = substr($setting, 0, 3);
+		# We use "$P$", phpBB3 uses "$H$" for the same thing
+		if ($id != '$P$' && $id != '$H$')
 			return $output;
 
 		$count_log2 = strpos($this->itoa64, $setting[3]);
@@ -212,6 +214,10 @@ class PasswordHash {
 
 	function HashPassword($password)
 	{
+		if ( strlen( $password ) > 4096 ) {
+			return '*';
+		}
+
 		$random = '';
 
 		if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
@@ -247,11 +253,15 @@ class PasswordHash {
 
 	function CheckPassword($password, $stored_hash)
 	{
+		if ( strlen( $password ) > 4096 ) {
+			return false;
+		}
+
 		$hash = $this->crypt_private($password, $stored_hash);
 		if ($hash[0] == '*')
 			$hash = crypt($password, $stored_hash);
 
-		return $hash == $stored_hash;
+		return $hash === $stored_hash;
 	}
 }