Merge remote-tracking branch 'origin/v10/dev' into v10/feature/nullable-reference-types-in-Umbraco-Core

# Conflicts: # build/build.ps1 # src/Umbraco.Core/Configuration/ConfigConnectionString.cs # src/Umbraco.Core/Configuration/Models/ConnectionStrings.cs # src/Umbraco.Core/Install/InstallSteps/TelemetryIdentifierStep.cs # src/Umbraco.Core/Models/ContentType.cs # src/Umbraco.Infrastructure/Migrations/Install/DatabaseBuilder.cs # tests/Umbraco.Tests.AcceptanceTest/package.json
2022-03-16 13:00:38 +01:00
parent 029aecccb5 3961c4c233
commit 4ebd20bb66
480 changed files with 11569 additions and 6721 deletions
--- a/src/Umbraco.Core/Security/LegacyPasswordSecurity.cs
+++ b/src/Umbraco.Core/Security/LegacyPasswordSecurity.cs
@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.ComponentModel;
 using System.Security.Cryptography;
 using System.Text;
@@ -144,7 +144,7 @@ namespace Umbraco.Cms.Core.Security
            var saltBytes = Convert.FromBase64String(salt);
            byte[] inArray;

-            var hashAlgorithm = GetHashAlgorithm(algorithmType);
+            using var hashAlgorithm = GetHashAlgorithm(algorithmType);
            var algorithm = hashAlgorithm as KeyedHashAlgorithm;
            if (algorithm != null)
            {
@@ -209,11 +209,21 @@ namespace Umbraco.Cms.Core.Security
        {
            // This is for the v6-v8 hashing algorithm
            if (algorithm.InvariantEquals(Constants.Security.AspNetUmbraco8PasswordHashAlgorithmName))
+            {
                return true;
+            }
+
+            // Default validation value for old machine keys (switched to HMACSHA256 aspnet 4 https://docs.microsoft.com/en-us/aspnet/whitepapers/aspnet4/breaking-changes)
+            if (algorithm.InvariantEquals("SHA1"))
+            {
+                return true;
+            }

            // This is for the <= v4 hashing algorithm
            if (IsLegacySHA1Algorithm(algorithm))
+            {
                return true;
+            }

            return false;
        }
@@ -227,7 +237,7 @@ namespace Umbraco.Cms.Core.Security
        /// <returns>The encoded password.</returns>
        private string HashLegacySHA1Password(string password)
        {
-            var hashAlgorithm = GetLegacySHA1Algorithm(password);
+            using var hashAlgorithm = GetLegacySHA1Algorithm(password);
            var hash = Convert.ToBase64String(hashAlgorithm.ComputeHash(Encoding.Unicode.GetBytes(password)));
            return hash;
        }