2.9.2 114 employees change pass#165
Conversation
# Conflicts: # inc/classes/OpenApiSpec.php
# Conflicts: # inc/classes/OpenApiSpec.php
# Conflicts: # inc/classes/OpenApiSpec.php
# Conflicts: # composer.json # inc/classes/Init.php # inc/classes/OpenApiSpec.php
# Conflicts: # composer.json # inc/classes/Init.php # inc/classes/OpenApiSpec.php
# Conflicts: # inc/classes/Init.php # inc/classes/OpenApiSpec.php
Review completed. Found 2 issues that need attention:
Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues. |
![roomote-v0[bot]](https://avatars.githubusercontent.com/in/1546624?s=60&v=4){kind=small}
| $data_user = $this->dataUsers->getUserById($this->auth->ID); | ||
|
|
||
| if ( | ||
| (new DateTime($data_user['date_expired'])) < (new DateTime())) { |
There was a problem hiding this comment.
Potential exception if date_expired field is NULL or empty. The DateTime constructor will throw an exception when passed an empty string or null value. This will occur for users who don't have a date_expired value set in the database, causing the entire authentication flow to fail with an uncaught exception.
Fix it with Roo Code or mention @roomote and request a fix.
| [$login, $password] = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); | ||
| $user = $this->dataUsers->getUserByLogin($login); | ||
| if ($user && \Core2\Tool::password_verify_secure($password, (string)$user['u_pass'])) { | ||
| if ($user && $user['u_pass'] === Tool::pass_salt(md5($password))) { |
There was a problem hiding this comment.
Weaker password verification introduced. The change from password_verify_secure() to direct string comparison with MD5 hash significantly weakens the authentication security. The original password_verify_secure() likely used bcrypt or another secure hashing algorithm with timing-attack protection. MD5 is cryptographically broken and vulnerable to rainbow table attacks. This affects HTTP Basic Authentication for API access.
Fix it with Roo Code or mention @roomote and request a fix.
3 participants
change pass