I try to upgrade drupal 6 installation to drupal 7.x on mysql 5.1.49 and php 5.3.3-3 on Debian Lenny. Everything works fine except one. update.php script changes the settings.php file and place $drupal_password_salt there. I have for example:
$drupal_password_salt = 'oEbTwrnPGqQzoLPoNJK_PuhaknDFAuyOVULUKzKHebU';
Users have password hashes starting with "U$S$", which means they must be updated to drupal 7 format on first login. Example password hash:
U$S$9U5ugggFwojvcRi.JpYAgVxc1E5DFmUpsgX1VWjS7CiQE7gfFHcm
After first login, passwords change to the correct "$S$" format. For password above I have in database:
$S$CH/.qVXkYzE6vWu52.uZUfcfbdf.vxyAdJztrGd8TZISaSUtBcIX
...and I can't login again. I wrote a script which uses modified user_check_password() function and write on stdout correct hash for my password. It is:
$S$CH/.qVXkYGlvdZM2ho35FnZ.BjhX7G.87CJTzOG8X5CaMmK/9Mpa
What can be wrong?
| Comment | File | Size | Author |
|---|---|---|---|
| #9 | 1007504-9-upgrade-password-rehash.patch | 1.65 KB | carlos8f |
| #8 | 1007504-upgrade-password-rehash.patch | 944 bytes | carlos8f |
| #3 | check_hash.txt | 1.64 KB | wikp |
Comments
Comment #1
naheemsays commentedsubscribe - I am investigating this on a test upgrade too, but thought it may have been a different module responsible.
EDIT - I dont have any drupal password salt in settings.php and the hash salt is set to '' (so empty string). I am also using the logintoboggan module.
Comment #2
wikp commentedI had these 3rd party modules installed:
taxonomy_menu, adminblock, modr8, taxonomy_router, notifications, taxonomy_treemenu, blog_addons, openx, captcha, taxonomyblocks, token, pathauto, plus1, userpoints, google_analytics, invite, rules, views, ip_anon, jquerymenu, memcache, votingapi (1), messaging, tagadelic, workflow, xmlsitemap
All of them, except "votingapi", I've uninstalled before upgrade.
$drupal_hash_salt was added in d6->d7 upgrade process.
Comment #3
wikp commentedUpdate:
I've tested it three times on clean drupal 6.20 install (without content, third party modules, etc) on two linux hostings and I've got same results.
Steps to reproduce:
1. Install drupal 6.20
2. remove all files from www directory except sites folder
3. copy drupal 7-rc3 files to www directory (overwrite sites/README.txt and sites/default/default.settings.php)
4. Run update.php script
5. Go to front page
6. If you're logged in - logout
7. Login (success) - in this step password hash is changed in database
8. Logout
9. Login (fails)
Examples of hashes, etc:
I've attached script that help me to find correct hash (used with drush scr).
I've checked how it works in API docs and find that user_authenticate() function use user_hash_password() function to get hash of plain-text password after upgrade on first login. user_hash_password() as $setting variable for _password_crypt() use random string generated by _password_generate_salt(). But user_check_password() as $setting use substr($account->pass, 1), and as $password - md5($password). But I'm not sure if this is the solution.
I've tested in on RC and -dev.
Comment #4
catchBumping this to critical, this could be irrepairable on upgraded 6 sites (apart from a password reset).
Comment #5
catchReproduced.
1. Install D6 site.
2. Upgrade it to D7.
3. Log in.
5. Log out.
6. Log in again - fails with unrecognised password.
Comment #6
catchComment #7
wikp commentedI temporarily made two changes in local copy of user.module (after upgrade) and it works. I'm almost sure that these changes will break something in a different place (registration?), so I don't attach a diff. But I think this may be helpful for module maintainer.
These changes are:
user.module#2186, function user_authenticate(), add line:
user.module#412, function user_save(), comment line:
Comment #8
carlos8f commentedHere's a test to reproduce the issue, CNR for bot.
Comment #9
carlos8f commentedI definitely introduced this regression in #991270: password_count_log2 var out of bounds is a sorry mess.
Formerly we used a direct query to update the 'pass' field, which was chucked in favor of user_save(). But I neglected that user_save() expects 'pass' to be a plaintext password, and it hashes it internally. There was no test coverage to catch it at the time, unfortunately.
Comment #10
chx commentedThis is unfortunate indeed. Some user passwords might be double encoded -- the only thing they can do is to ask for a reset. Unfortunate...but does not affect all users only those who logged in since RC3 was released and deployed on a D6 upgraded site. I suspect that's not a huge number.
Comment #11
wikp commented#8: 1007504-upgrade-password-rehash.patch queued for re-testing.
Comment #12
carlos8f commented#8 rightfully fails, which illustrates the bug. #9 includes that test and the appropriate fix. Let's get this in ASAP.
Comment #13
webchickCrap. :\ Is it worth rolling another RC for this?
Committed to HEAD. Thanks!
Comment #14
carlos8f commentedSince RC3 we've also had #1005004: Editing a comment destroys its creation date, but this is the bigger of the two, definitely. Maybe one more RC would be good so we can say we had at least one RC without criticals :)
Comment #15
catchI think this is worth another RC. Nice work tracking it down and fixing so quickly carlos8f.