From 7450ec001961b228aeec917b6ddf626d283900ec Mon Sep 17 00:00:00 2001
From: Gregor Harlan <mail@gh01.de>
Date: Tue, 7 Apr 2026 23:19:00 +0200
Subject: [PATCH 1/3] Remove sha1 pre-hashing from password handling

Previously, passwords were sha1-hashed before being passed to
password_hash/password_verify (a leftover from client-side hashing
in REDAXO 5.x). This removes the sha1 layer entirely:

- Remove `$isPreHashed` parameter from `setLogin`, `passwordHash`,
  `passwordVerify`
- Remove client-side sha1 hashing from login form and `sha1.js` asset
- Add legacy fallback in `BackendLogin::passwordVerify` for old
  sha1-wrapped password hashes, with automatic rehashing on next login
- Use `static::` instead of `self::` for `passwordVerify` in
  `Login::checkLogin` to enable late static binding

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 assets/sha1.js                         | 12 ----------
 boot/backend.php                       |  5 +---
 pages/login.php                        | 11 +--------
 pages/profile/index.php                |  3 ++-
 src/Security/BackendLogin.php          | 31 +++++++++++++++++++++++-
 src/Security/BackendPasswordPolicy.php |  3 +--
 src/Security/Login.php                 | 33 +++++---------------------
 tests/Security/BackendLoginTest.php    | 18 +++++++-------
 8 files changed, 50 insertions(+), 66 deletions(-)
 delete mode 100644 assets/sha1.js

diff --git a/assets/sha1.js b/assets/sha1.js
deleted file mode 100644
index 2d90e6614b..0000000000
--- a/assets/sha1.js
+++ /dev/null
@@ -1,12 +0,0 @@
-/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
-/*  SHA-1 implementation in JavaScript | (c) Chris Veness 2002-2010 | www.movable-type.co.uk      */
-/*   - see http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html                             */
-/*         http://csrc.nist.gov/groups/ST/toolkit/examples.html                                   */
-/*         http://www.movable-type.co.uk/scripts/sha1.html                                        */
-/* - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  */
-var Sha1={};
-Sha1.hash=function(b,a){if(a=typeof a=="undefined"?true:a)b=Utf8.encode(b);var g=[1518500249,1859775393,2400959708,3395469782];b+=String.fromCharCode(128);for(var c=Math.ceil((b.length/4+2)/16),h=Array(c),e=0;e<c;e++){h[e]=Array(16);for(var f=0;f<16;f++)h[e][f]=b.charCodeAt(e*64+f*4)<<24|b.charCodeAt(e*64+f*4+1)<<16|b.charCodeAt(e*64+f*4+2)<<8|b.charCodeAt(e*64+f*4+3)}h[c-1][14]=(b.length-1)*8/Math.pow(2,32);h[c-1][14]=Math.floor(h[c-1][14]);h[c-1][15]=(b.length-1)*8&4294967295;f=1732584193;var n=
-4023233417,o=2562383102,p=271733878,q=3285377520,i=Array(80),j,k,l,m,r;for(e=0;e<c;e++){for(var d=0;d<16;d++)i[d]=h[e][d];for(d=16;d<80;d++)i[d]=Sha1.ROTL(i[d-3]^i[d-8]^i[d-14]^i[d-16],1);j=f;k=n;l=o;m=p;r=q;for(d=0;d<80;d++){var s=Math.floor(d/20);s=Sha1.ROTL(j,5)+Sha1.f(s,k,l,m)+r+g[s]+i[d]&4294967295;r=m;m=l;l=Sha1.ROTL(k,30);k=j;j=s}f=f+j&4294967295;n=n+k&4294967295;o=o+l&4294967295;p=p+m&4294967295;q=q+r&4294967295}return Sha1.toHexStr(f)+Sha1.toHexStr(n)+Sha1.toHexStr(o)+Sha1.toHexStr(p)+Sha1.toHexStr(q)};
-Sha1.f=function(b,a,g,c){switch(b){case 0:return a&g^~a&c;case 1:return a^g^c;case 2:return a&g^a&c^g&c;case 3:return a^g^c}};Sha1.ROTL=function(b,a){return b<<a|b>>>32-a};Sha1.toHexStr=function(b){for(var a="",g,c=7;c>=0;c--){g=b>>>c*4&15;a+=g.toString(16)}return a};var Utf8={};
-Utf8.encode=function(b){b=b.replace(/[\u0080-\u07ff]/g,function(a){a=a.charCodeAt(0);return String.fromCharCode(192|a>>6,128|a&63)});return b=b.replace(/[\u0800-\uffff]/g,function(a){a=a.charCodeAt(0);return String.fromCharCode(224|a>>12,128|a>>6&63,128|a&63)})};
-Utf8.decode=function(b){b=b.replace(/[\u00e0-\u00ef][\u0080-\u00bf][\u0080-\u00bf]/g,function(a){a=(a.charCodeAt(0)&15)<<12|(a.charCodeAt(1)&63)<<6|a.charCodeAt(2)&63;return String.fromCharCode(a)});return b=b.replace(/[\u00c0-\u00df][\u0080-\u00bf]/g,function(a){a=(a.charCodeAt(0)&31)<<6|a.charCodeAt(1)&63;return String.fromCharCode(a)})};
diff --git a/boot/backend.php b/boot/backend.php
index 0f5e4e78e6..cd5f7a7205 100644
--- a/boot/backend.php
+++ b/boot/backend.php
@@ -150,9 +150,7 @@
     if (($rexUserLogin || $passkey) && !CsrfToken::factory('backend_login')->isValid()) {
         $loginCheck = I18n::msg('csrf_token_invalid');
     } else {
-        // the server side encryption of pw is only required
-        // when not already encrypted by client using javascript
-        $login->setLogin($rexUserLogin, $rexUserPsw, Request::post('javascript', 'boolean'));
+        $login->setLogin($rexUserLogin, $rexUserPsw);
         $login->setPasskey('' === $passkey ? null : $passkey);
         $login->setStayLoggedIn($rexUserStayLoggedIn);
         $loginCheck = $login->checkLogin();
@@ -234,7 +232,6 @@
 Asset::addJsFile(Url::coreAssets('jquery-ui.custom.min.js'), [Asset::JS_IMMUTABLE => true]);
 Asset::addJsFile(Url::coreAssets('jquery-pjax.min.js'), [Asset::JS_IMMUTABLE => true]);
 Asset::addJsFile(Url::coreAssets('standard.js'), [Asset::JS_IMMUTABLE => true]);
-Asset::addJsFile(Url::coreAssets('sha1.js'), [Asset::JS_IMMUTABLE => true]);
 Asset::addJsFile(Url::coreAssets('clipboard-copy-element.js'), [Asset::JS_IMMUTABLE => true]);
 Asset::addJsFile(Url::coreAssets('js/mediapool.js'), [Asset::JS_IMMUTABLE]);
 
diff --git a/pages/login.php b/pages/login.php
index 983bce57b4..e869e1e1ea 100644
--- a/pages/login.php
+++ b/pages/login.php
@@ -53,7 +53,7 @@ function disableLogin() {
 
 $content .= '
     <fieldset>
-        <input type="hidden" name="javascript" value="0" id="javascript" />';
+';
 
 $formElements = [];
 
@@ -132,15 +132,6 @@ function disableLogin() {
 <script type="text/javascript" nonce="' . Response::getNonce() . '">
      <!--
     jQuery(function($) {
-        $("#rex-form-login")
-            .submit(function(){
-                var pwInp = $("#rex-id-login-password");
-                if(pwInp.val() != "") {
-                    $("#rex-form-login").append(\'<input type="hidden" name="\'+pwInp.attr("name")+\'" value="\'+Sha1.hash(pwInp.val())+\'" />\');
-                }
-        });
-
-        $("#javascript").val("1");
         ' . $js . '
     });
      //-->
diff --git a/pages/profile/index.php b/pages/profile/index.php
index d227de9d2e..981ad362d3 100644
--- a/pages/profile/index.php
+++ b/pages/profile/index.php
@@ -10,6 +10,7 @@
 use Redaxo\Core\Form\Select\Select;
 use Redaxo\Core\Http\Request;
 use Redaxo\Core\Http\Response;
+use Redaxo\Core\Security\BackendLogin;
 use Redaxo\Core\Security\BackendPasswordPolicy;
 use Redaxo\Core\Security\CsrfToken;
 use Redaxo\Core\Security\Login;
@@ -126,7 +127,7 @@
 
 $verifyLogin = static function () use ($user, $login, $userpsw, $webauthn): bool|string {
     if (!$login->getPasskey()) {
-        if (!$userpsw || !Login::passwordVerify($userpsw, $user->getValue('password'))) {
+        if (!$userpsw || !BackendLogin::passwordVerify($userpsw, $user->getValue('password'))) {
             return I18n::msg('user_psw_verify_error');
         }
 
diff --git a/src/Security/BackendLogin.php b/src/Security/BackendLogin.php
index a1bfb88ed9..abbab5c68c 100644
--- a/src/Security/BackendLogin.php
+++ b/src/Security/BackendLogin.php
@@ -3,6 +3,7 @@
 namespace Redaxo\Core\Security;
 
 use DateTimeImmutable;
+use Override;
 use Redaxo\Core\Core;
 use Redaxo\Core\Database\Sql;
 use Redaxo\Core\Exception\LogicException;
@@ -28,6 +29,8 @@ class BackendLogin extends Login
 
     private const SESSION_PASSWORD_CHANGE_REQUIRED = 'password_change_required';
 
+    private static ?string $legacySha1Hash = null;
+
     private string $tableName;
     private ?string $passkey = null;
     private bool $stayLoggedIn = false;
@@ -144,7 +147,7 @@ public function checkLogin()
                 $password = $this->user->getValue('password');
                 if ($password && $this->userLogin && $this->userPassword && self::passwordNeedsRehash($password)) {
                     $add .= 'password = ?, ';
-                    $params[] = $password = self::passwordHash($this->userPassword, true);
+                    $params[] = $password = self::passwordHash($this->userPassword);
                 }
                 array_push($params, Sql::datetime(), Sql::datetime(), session_id(), $this->getSessionVar(self::SESSION_USER_ID));
                 $sql->setQuery('UPDATE ' . $this->tableName . ' SET ' . $add . 'login_tries=0, lasttrydate=?, lastlogin=?, session_id=? WHERE id=? LIMIT 1', $params);
@@ -339,6 +342,32 @@ public static function createUser()
         return null;
     }
 
+    #[Override]
+    public static function passwordVerify(#[SensitiveParameter] string $password, #[SensitiveParameter] string $hash): bool
+    {
+        if (parent::passwordVerify($password, $hash)) {
+            return true;
+        }
+
+        // Fallback for legacy passwords from REDAXO 5.x which were sha1-prehashed
+        if (password_verify(sha1($password), $hash)) {
+            self::$legacySha1Hash = $hash;
+            return true;
+        }
+
+        return false;
+    }
+
+    #[Override]
+    public static function passwordNeedsRehash(#[SensitiveParameter] string $hash): bool
+    {
+        if ($hash === self::$legacySha1Hash) {
+            return true;
+        }
+
+        return parent::passwordNeedsRehash($hash);
+    }
+
     /**
      * returns the backends session namespace.
      *
diff --git a/src/Security/BackendPasswordPolicy.php b/src/Security/BackendPasswordPolicy.php
index 56e08e81c2..092a68611a 100644
--- a/src/Security/BackendPasswordPolicy.php
+++ b/src/Security/BackendPasswordPolicy.php
@@ -94,12 +94,11 @@ public function check(#[SensitiveParameter] $password, $id = null)
             return true;
         }
 
-        $password = sha1($password);
         $previousPasswords = Type::array(json_decode($previousPasswords, true));
         $previousPasswords = $this->cleanUpPreviousPasswords($previousPasswords);
 
         foreach ($previousPasswords as $previousPassword) {
-            if (BackendLogin::passwordVerify($password, $previousPassword[0], true)) {
+            if (BackendLogin::passwordVerify($password, $previousPassword[0])) {
                 return I18n::msg('password_already_used');
             }
         }
diff --git a/src/Security/Login.php b/src/Security/Login.php
index 16fee32ed4..890e88de76 100644
--- a/src/Security/Login.php
+++ b/src/Security/Login.php
@@ -139,13 +139,12 @@ public function setSessionDuration($sessionDuration)
      *
      * @param string $login
      * @param string $password
-     * @param bool $isPreHashed
      * @return void
      */
-    public function setLogin(#[SensitiveParameter] $login, #[SensitiveParameter] $password, $isPreHashed = false)
+    public function setLogin(#[SensitiveParameter] $login, #[SensitiveParameter] $password)
     {
         $this->userLogin = $login;
-        $this->userPassword = $isPreHashed ? $password : sha1($password);
+        $this->userPassword = $password;
     }
 
     /**
@@ -283,7 +282,7 @@ public function checkLogin()
                 $this->user = Sql::factory($this->DB);
 
                 $this->user->setQuery($this->loginQuery, [':login' => $this->userLogin]);
-                if (1 == $this->user->getRows() && self::passwordVerify($this->userPassword, (string) $this->user->getValue($this->passwordColumn), true)) {
+                if (1 == $this->user->getRows() && static::passwordVerify($this->userPassword, (string) $this->user->getValue($this->passwordColumn))) {
                     $ok = true;
                     static::regenerateSessionId();
                     $this->setSessionVar(self::SESSION_START_TIME, time());
@@ -601,37 +600,17 @@ public static function getCookieParams()
         return $cookieParams;
     }
 
-    /**
-     * Verschlüsselt den übergebnen String.
-     *
-     * @param string $password
-     * @param bool $isPreHashed
-     * @return string Returns the hashed password
-     */
-    public static function passwordHash(#[SensitiveParameter] $password, $isPreHashed = false)
+    public static function passwordHash(#[SensitiveParameter] string $password): string
     {
-        $password = $isPreHashed ? $password : sha1($password);
-
         return password_hash($password, PASSWORD_DEFAULT);
     }
 
-    /**
-     * @param string $password
-     * @param string $hash
-     * @param bool $isPreHashed
-     * @return bool returns TRUE if the password and hash match, or FALSE otherwise
-     */
-    public static function passwordVerify(#[SensitiveParameter] $password, #[SensitiveParameter] $hash, $isPreHashed = false)
+    public static function passwordVerify(#[SensitiveParameter] string $password, #[SensitiveParameter] string $hash): bool
     {
-        $password = $isPreHashed ? $password : sha1($password);
         return password_verify($password, $hash);
     }
 
-    /**
-     * @param string $hash
-     * @return bool returns TRUE if the hash should be rehashed to match the given algo and options, or FALSE otherwise
-     */
-    public static function passwordNeedsRehash(#[SensitiveParameter] $hash)
+    public static function passwordNeedsRehash(#[SensitiveParameter] string $hash): bool
     {
         return password_needs_rehash($hash, PASSWORD_DEFAULT);
     }
diff --git a/tests/Security/BackendLoginTest.php b/tests/Security/BackendLoginTest.php
index 03823f0488..a7548c2591 100644
--- a/tests/Security/BackendLoginTest.php
+++ b/tests/Security/BackendLoginTest.php
@@ -40,14 +40,14 @@ protected function tearDown(): void
     public function testSuccessfullLogin(): void
     {
         $login = new BackendLogin();
-        $login->setLogin(self::LOGIN, self::PASSWORD, false);
+        $login->setLogin(self::LOGIN, self::PASSWORD);
         self::assertTrue($login->checkLogin());
     }
 
     public function testFailedLogin(): void
     {
         $login = new BackendLogin();
-        $login->setLogin(self::LOGIN, 'somethingwhichisnotcorrect', false);
+        $login->setLogin(self::LOGIN, 'somethingwhichisnotcorrect');
         self::assertFalse($login->checkLogin());
     }
 
@@ -56,10 +56,10 @@ public function testSuccessfullReLogin(): void
     {
         $login = new BackendLogin();
 
-        $login->setLogin(self::LOGIN, 'somethingwhichisnotcorrect', false);
+        $login->setLogin(self::LOGIN, 'somethingwhichisnotcorrect');
         self::assertFalse($login->checkLogin());
 
-        $login->setLogin(self::LOGIN, self::PASSWORD, false);
+        $login->setLogin(self::LOGIN, self::PASSWORD);
         self::assertTrue($login->checkLogin());
     }
 
@@ -70,32 +70,32 @@ public function testSuccessfullReLoginAfterLoginTriesSeconds(): void
         $tries = $login->getLoginPolicy()->getMaxTriesUntilDelay();
 
         for ($i = 0; $i < $tries; ++$i) {
-            $login->setLogin(self::LOGIN, 'somethingwhichisnotcorrect', false);
+            $login->setLogin(self::LOGIN, 'somethingwhichisnotcorrect');
             self::assertFalse($login->checkLogin());
         }
 
         // we need to re-create login-objects because the time component is static in their sql queries
         $login = new BackendLogin();
-        $login->setLogin(self::LOGIN, self::PASSWORD, false);
+        $login->setLogin(self::LOGIN, self::PASSWORD);
         self::assertFalse($login->checkLogin(), 'account locked after fast login attempts');
 
         sleep(1);
 
         $login = new BackendLogin();
-        $login->setLogin(self::LOGIN, self::PASSWORD, false);
+        $login->setLogin(self::LOGIN, self::PASSWORD);
         self::assertFalse($login->checkLogin(), 'even seconds later account is locked');
 
         sleep($login->getLoginPolicy()->getReloginDelay() + 1);
 
         $login = new BackendLogin();
-        $login->setLogin(self::LOGIN, self::PASSWORD, false);
+        $login->setLogin(self::LOGIN, self::PASSWORD);
         self::assertTrue($login->checkLogin(), 'after waiting the account should be unlocked');
     }
 
     public function testLogout(): void
     {
         $login = new BackendLogin();
-        $login->setLogin(self::LOGIN, self::PASSWORD, false);
+        $login->setLogin(self::LOGIN, self::PASSWORD);
         self::assertTrue($login->checkLogin());
         $login->setLogout(true);
         self::assertFalse($login->checkLogin());

From 8c13d9c006d14569cfc4c85f3e9bed2a0ebf2f84 Mon Sep 17 00:00:00 2001
From: Gregor Harlan <mail@gh01.de>
Date: Tue, 7 Apr 2026 23:28:38 +0200
Subject: [PATCH 2/3] update

---
 pages/profile/index.php | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/pages/profile/index.php b/pages/profile/index.php
index 981ad362d3..e612307fef 100644
--- a/pages/profile/index.php
+++ b/pages/profile/index.php
@@ -13,7 +13,6 @@
 use Redaxo\Core\Security\BackendLogin;
 use Redaxo\Core\Security\BackendPasswordPolicy;
 use Redaxo\Core\Security\CsrfToken;
-use Redaxo\Core\Security\Login;
 use Redaxo\Core\Security\User;
 use Redaxo\Core\Security\WebAuthn;
 use Redaxo\Core\Translation\I18n;
@@ -158,7 +157,7 @@
     } elseif ($passwordChangeRequired && $userpsw === $userpswNew1) {
         $error = I18n::msg('password_not_changed');
     } else {
-        $userpswNew1 = Login::passwordHash($userpswNew1);
+        $userpswNew1 = BackendLogin::passwordHash($userpswNew1);
 
         $updateuser = Sql::factory();
         $updateuser->setTable(Core::getTablePrefix() . 'user');

From fc7c918185297ac50e3b25babe47ef0c123d9668 Mon Sep 17 00:00:00 2001
From: Gregor Harlan <mail@gh01.de>
Date: Wed, 8 Apr 2026 00:00:17 +0200
Subject: [PATCH 3/3] fix screenshots

---
 .tools/visual-tests/visual-record.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.tools/visual-tests/visual-record.js b/.tools/visual-tests/visual-record.js
index 52e4bd41c1..f5880b47c6 100644
--- a/.tools/visual-tests/visual-record.js
+++ b/.tools/visual-tests/visual-record.js
@@ -173,10 +173,10 @@ async function createScreenshots(page, screenshotName) {
     await processScreenshot(page, screenshotName.replace('.png', '--dark.png'));
 }
 
-async function logIntoBackend(page, username = 'myusername', password = '91dfd9ddb4198affc5c194cd8ce6d338fde470e2') {
+async function logIntoBackend(page, username = 'myusername', password = 'mypassword') {
     await goToUrlOrThrow(page, START_URL, { waitUntil: 'load' });
     await page.type('#rex-id-login-user', username);
-    await page.type('#rex-id-login-password', password); // sha1('mypassword')
+    await page.type('#rex-id-login-password', password);
     await Promise.all([
         page.waitForNavigation({ waitUntil: 'load' }),
         page.$eval('#rex-form-login', form => form.submit()),