Something strange in integrate_verify_password

snoopy_virtual · August 12, 2015, 07:33:55 AM

I don't even know if you would consider this a bug or not, but for me (as a paranoid security maniac) it is.

Ok, I will tell you and let you decide what you think about it.

In Profile.php find:

Code Select


				// Does the integration want to check passwords?
				$good_password = in_array(true, call_integration_hook('integrate_verify_password', array($cur_profile['member_name'], $_POST['oldpasswrd'], false)), true);

				// Bad password!!!
				if (!$good_password && $user_info['passwd'] != sha1(strtolower($cur_profile['member_name']) . $_POST['oldpasswrd']))
					$post_errors[] = 'bad_password';

Using plain words that means:

If we have 2 ways of checking if the password is wrong or not (SMF's one and an integrate function) if both of them say the password is wrong then it is wrong but if one of them says it's good then it's good.

As I said, I am a paranoid with these things, but I would do it the other way round: If one of them says the password is wrong THEN it's wrong.

I mean I would write this instead:

Code Select


				if (!$good_password || $user_info['passwd'] != sha1(strtolower($cur_profile['member_name']) . $_POST['oldpasswrd']))
					$post_errors[] = 'bad_password';

What do you think?

Kindred · August 12, 2015, 07:49:38 AM

But, what if you have an integrate function and have changed the password in the other system?

snoopy_virtual · August 12, 2015, 08:05:19 AM

I would never do that myself.

The more complicated site I have is one with SMF, Joomla, Coppermine, Drupal and WordPress (plus a few of my own programs) working at the same time. All of them connected via SSI.php

In that site every user only has a nickname, a valid email and a password. I don't see the point of having a few different programs connected and use a different password for each one.

Of course everyone of the programs uses a different way of checking the password and a different encoding to store it in the DB, but the actual password is the same one.

Kindred · August 12, 2015, 08:11:44 AM

I think you are actually missing a piece, by using ssi... Many integrations use hooks or the API instead... And, if they use hooks, then you need to check if the external password matches the internal one...

snoopy_virtual · August 12, 2015, 08:22:36 AM

Of course I use all the hooks available in the code. I wouldn't be able to integrate one program with SMF without using the integration hooks.

Actually I will love it if one day we could write all the mods and changes for SMF using only hooks and not changing even one line of the core code (as for example happens when you need to do something for Word Press or Wedge).

But can you tell me how can you integrate one program with SMF using only integration hooks and without using SSI? I haven't seen no one.

All Colours Sam · August 12, 2015, 09:45:18 AM

Not really a bug so I'm moving this.

integrate_verify_password is using to do just that, to verify the password, so its the responsibility of whoever uses that hook to do proper validations and only return true if its really valid.

There is another hook, integrate_validate_login thats the hook you will use if you want to integrate another script with SMF.

As for hooks, vs API vs SSI, it really depends on what you really want to do or what you can do.... most of these hooks exists because in the real world you will most likely end up with some legacy code and you will need to make it work with SMF, in that case, using hooks like integrate_validate_login is the way to go.

If you have control over both scripts, then SSI.php is the way to go as its always way easier to have one single script doing all the work for you.

The API can be used when you only want to share some info between scripts. IE, getting the forum's total statistics, recent X, latest Y, stuff like that.

And yes, mods can be written and be fully functional without modifying any code, the system isn't perfect of course so the more cleaver you are and more knowledge of SMF's inner code the more chances you will have to find a solution that doesn't need a file edit. SMF 2.1 highly improves this.

snoopy_virtual · August 12, 2015, 10:18:10 AM

Didn't have time yet to check SMF 2.1. Too busy with live sites needing only stable software, but I had already heard it has a lot more hooks. I will check it out as soon as I have some spare time.

I have a problem with days having only 24 hours though

Quote from: Suki on August 12, 2015, 09:45:18 AM
And yes, mods can be written and be fully functional without modifying any code, the system isn't perfect of course so the more cleaver you are and more knowledge of SMF's inner code the more chances you will have to find a solution that doesn't need a file edit. SMF 2.1 highly improves this.

Actually the more complicated mod I ever wrote (httpBL) only changes a couple of lines here and there in the code. All the hard work is done in external files. So I never (as far as I can remember) needed to change that mod because of changes in any SMF actualisation.

But I suppose I don't need to tell you how many times we need to give support to a user having problems with a mod because a new version of SMF is out and now that mod doesn't work properly.

News:

Something strange in integrate_verify_password

snoopy_virtual

Kindred

snoopy_virtual

Kindred

snoopy_virtual

All Colours Sam

snoopy_virtual