#184 mw_user->user_options removed in mediawiki 1.35.2 since 1.19

[Klaus Elsbernd]

Don't know, if I should call it a bug. I had several problems to get a clone of isfdb running, using latest mariadb and mediawiki 1.35.2, but at least managed.

During inserting the dump of backup-MySQL-55-2021-04-24 I saw the creation of the table mw_user using a field "user_options blob NOT NULL,", which has been removed since mediawiki 1.19.

The installation instructions of isfdb are a little bit out of date, so I run the mysql restore first, and then mediawiki 1.35.2. Mediawiki installer saw the already installed ISFDB and runs maintenance upgrade, which removes mw_options and inserts user_password_expires. Update went smooth.

Note: my installation runs mariadb 10.3 and mediawiki 1.35.2 currently without problems.
I had to run some sql-replace-commands to get local installed images been accessed. maybe one should update the instructions.
Note: there is another discrepancy, which I forgot. Will make a note, if I find it again.

[Klaus Elsbernd]

mediawiki version newer than 1.24 (?) uses pbkdf2 for authentication. The password hash is stored like the following example:
example

":pbkdf2:sha512:30000:64:XzZmPitMxmqAN9W9USqIfw==:P5bpOSGP6bqm7Pl6wAB29MEKa0mqNbo9jit0RihuiDlX1zwg9EOPEpOIk1szb/ajjaArFeNpT+0fg4oczZO6/w=="

The following code can be used to add authentication for mediawiki 1.35.2 in submitlogin.cgi

import hashlib
import base64
...

and around line 55

        pbkd = string.split(str(record[0][1]), ":")
        xPBKD = len(pbkd)
        # hash digest, Password, Salt, Iteration, dklen=KeyLength
        if xPBKD == 7:
                xSHA = pbkd[2]
                xIteration = int(pbkd[3])
                xDklen = int(pbkd[4])
                xSalt = base64.b64decode(pbkd[5])
                real_password = pbkd[6]
                xKey = hashlib.pbkdf2_hmac(xSHA, password.encode('ascii'), xSalt, xIteration, dklen=xDklen)
                submitted_password = base64.b64encode(xKey)
        else:
                ###################################################
                #$p = md5( $password);
                ###################################################
                hash = md5.new()
                hash.update(password)
                password = str(hash.hexdigest())
                ###################################################
                #return md5( "{$userid}-{$p}" );
                ###################################################
                newstr = '%s-%s' % (record[0][0], password)
                hash2 = md5.new()
                hash2.update(newstr)
                submitted_password = hash2.hexdigest()
                #real_password = string.split(str(record[0][1]), "'")[3]
                real_password = record[0][1]

Well, can be shortened.
Works within my clone of isfdb: mariadb 10.3.24, python 2.7, apache 2.4 on OpenIndiana (Solaris, SunOS illumos 5.11)

[Ahasuerus]

Ticket moved from /p/isfdb/bugs/770/

[Ahasuerus]

I have asked MartyD to take a look when he has a free moment -- http://www.isfdb.org/wiki/index.php/User_talk:MartyD#MediaWiki_upgrade

[Klaus Elsbernd]

submitlogin.py: I had to change the if statement which decides if md5-hash or pdk2-hash is used: I splitted the hash form MediaWiki into fields with separation character ':'. Since reference to the 2nd field results in a python error, I had to check the size of the split-result. Since I had no md5 hash in my database any more, I overlooked the problem.
So I edited my previous post and corrected the problem: Instead of referring to field 2, I'll test the length of the array.
Since PBKD in MediaWiki 1.36 uses 7 fields, the test for using PBKD is

xPBKD = len(pbkd)
if xPBKD == 7:

Well, of course the code can be shortened :-)