From db551911f429359a30ffd76017451164ba81af50 Mon Sep 17 00:00:00 2001
From: Yorhel <git@yorhel.nl>
Date: Fri, 31 Jul 2009 11:45:35 +0200
Subject: Added encode_utf8() on $salt and $pass in _authEncryptPass()

This forces $salt and $pass to be 'downgraded' to byte strings in case
we are given unicode strings (i.e. when fetched from database or YAWF).
This, in turn, prevents global_salt from 'upgrading', which allows
binary data to be used for this string.
---
 lib/VNDB/Util/Auth.pm | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/VNDB/Util/Auth.pm b/lib/VNDB/Util/Auth.pm
index 519e5523..ce548a98 100644
--- a/lib/VNDB/Util/Auth.pm
+++ b/lib/VNDB/Util/Auth.pm
@@ -8,6 +8,7 @@ use Exporter 'import';
 use Digest::MD5 'md5';
 use Digest::SHA qw|sha1_hex sha256 sha256_hex|;
 use Time::HiRes;
+use Encode 'encode_utf8';
 use POSIX 'strftime';
 
 
@@ -117,9 +118,10 @@ sub _authCheck {
 # Arguments: self, pass, salt, binary mode
 # Returns: encrypted password
 sub _authEncryptPass{
-  my ($self, $pass, $salt, $bin) = @_;
-  return sha256($self->{global_salt} . $pass . $salt) if $bin;
-  return sha256_hex($self->{global_salt} . $pass . $salt);
+  my($self, $pass, $salt, $bin) = @_;
+  my $str = $self->{global_salt} . encode_utf8($pass) . encode_utf8($salt);
+  return sha256($str) if $bin;
+  return sha256_hex($str);
 }
 
 
-- 
cgit v1.2.3