run passcrypt when user does not exist dokuwiki#4491

splitbrain · splitbrain · commit 9c952d3bf926 · 2025-08-01T09:06:52.000+02:00
This will automatically use the configured password hashing method, thus
matching what existing users most likely have for their hash as well.
diff --git a/lib/plugins/authpdo/auth.php b/lib/plugins/authpdo/auth.php
@@ -123,7 +123,10 @@ public function checkPass($user, $pass)
     {
 
         $userdata = $this->selectUser($user);
-        if ($userdata == false) return false;
+        if ($userdata === false) {
+            auth_cryptPassword('dummy'); // run a crypt op to prevent timing attacks
+            return false;
+        }
 
         // password checking done in SQL?
         if ($this->checkConfig(['check-pass'])) {
diff --git a/lib/plugins/authplain/auth.php b/lib/plugins/authplain/auth.php
@@ -68,7 +68,10 @@ public function __construct()
     public function checkPass($user, $pass)
     {
         $userinfo = $this->getUserData($user);
-        if ($userinfo === false) return false;
+        if ($userinfo === false) {
+            auth_cryptPassword('dummy'); // run a crypt op to prevent timing attacks
+            return false;
+        }
 
         return auth_verifyPassword($pass, $this->users[$user]['pass']);
     }

Original file line number	Diff line number	Diff line change
`@@ -68,7 +68,10 @@ public function __construct()`
`68`	`68`	`public function checkPass($user, $pass)`
`69`	`69`	`{`
`70`	`70`	`$userinfo = $this->getUserData($user);`
`71`		`- if ($userinfo === false) return false;`
	`71`	`+ if ($userinfo === false) {`
	`72`	`+ auth_cryptPassword('dummy'); // run a crypt op to prevent timing attacks`
	`73`	`+ return false;`
	`74`	`+ }`
`72`	`75`
`73`	`76`	`return auth_verifyPassword($pass, $this->users[$user]['pass']);`
`74`	`77`	`}`