2009-05-11
neil.steiner
If a user password ends with a space, auth_login() currently fails because PMA_blowfish_decrypt() uses trim($decrypt) inappropriately.
The PHP manual indicates that trim($str) without a second parameter will trim " ", \t, \n, \r, \0, and \x0B. PMA_blowfish_encrypt() has padded the blocks with \0, so I recommend only trimming trailing \0 characters from the decrypted block.
In rc2009-02-06, inc/blowfish.php line 563 currently reads:
return trim($decrypt);
I recommend changing that to:
return trim($decrypt, "\0");
It is unlikely that special characters other than spaces would appear at the end of a password, but PMA_blowfish_encrypt/decrypt might be used for more generic text, in which case support for these other characters would preserve symmetry. i.e. D(E($str) === $str at least unless $str has trailing \0 characters.