PMCORE-2298 Password is stored in plain text when is hashed via G::encrypt and it contains a pipe (|)

2021-02-04 18:07:47 -04:00
parent f5d434ffdf
commit 4711d6687d
10 changed files with 81 additions and 65 deletions
--- a/gulliver/system/class.g.php
+++ b/gulliver/system/class.g.php
@@ -379,12 +379,12 @@ class G
     * @param string $string
     * @param string $key
     * @param bool $urlSafe if it is used in url
-     *
+     * @param bool $verifyPipe
     * @return string
     */
-    public static function encrypt($string, $key, $urlSafe = false)
+    public static function encrypt($string, $key, $urlSafe = false, $verifyPipe = true)
    {
-        if (strpos($string, '|', 0) !== false) {
+        if ($verifyPipe === true && strpos($string, '|', 0) !== false) {
            return $string;
        }
        $result = '';
--- a/gulliver/system/class.rbac.php
+++ b/gulliver/system/class.rbac.php
@@ -1762,6 +1762,7 @@ class RBAC
        $dataCase['AUTH_SOURCE_PASSWORD'] = G::encrypt(
                $dataCase['AUTH_SOURCE_PASSWORD'],
                $dataCase['AUTH_SOURCE_SERVER_NAME']
+                ,false, false
            ) . "_2NnV3ujj3w";
        $this->authSourcesObj->create($dataCase);
    }
@@ -1780,6 +1781,7 @@ class RBAC
        $dataCase['AUTH_SOURCE_PASSWORD'] = G::encrypt(
                $dataCase['AUTH_SOURCE_PASSWORD'],
                $dataCase['AUTH_SOURCE_SERVER_NAME']
+                , false, false
            ) . "_2NnV3ujj3w";
        $this->authSourcesObj->update($dataCase);
    }