Re: Raising The Bar On Security
Posted: Fri Jan 30, 2015 6:43 pm
Thanks again for the reply. The point I'm making is that Redhat/CentOS/Scientific Linux 6 (and probably 5 even) show evidence that they have successfully backported PHP. I would have to believe that they are using the $2y prefix too...
I found a test at: github.com/edas/password-compat/blob/master/version-test.php and tried a version of this on my CentOS machine:
and the result is: Pass. So it is capable of using the $2y prefix.
Couldn't this test be put into Joomla instead of checking the version number?
I don't know about Debian because I never use it. For Redhat/CentOS 6 systems it is apparent that it works correctly and it would be an easy fix for Joomla to include it. Just check for the .el6. substring in php_uname().
You said:
Thanks,
Steve
I found a test at: github.com/edas/password-compat/blob/master/version-test.php and tried a version of this on my CentOS machine:
Code: Select all
$hash = '$2y$04$usesomesillystringfore7hnbRJHxXVLeakoG8K30oukPsA.ztMG';
$test = crypt("password", $hash);
$pass = $test == $hash;
echo "Test for functionality of compat library: " . ($pass ? "Pass" : "Fail");
Couldn't this test be put into Joomla instead of checking the version number?
I don't know about Debian because I never use it. For Redhat/CentOS 6 systems it is apparent that it works correctly and it would be an easy fix for Joomla to include it. Just check for the .el6. substring in php_uname().
You said:
I'm focusing on the second part and Redhat 6 and clones meet this requirement. It would be great all around (Joomla would benefit too by having a larger user-base) if Joomla could be run on these systems without hacks and additional repos. I've heard of the REMI repo but for other reasons I won't be able to install that on this system. I can hack the index.php code but I see it in at least four other places too and I don't want to have to hack multiple files every time there is an update to Joomla.So that lands us with a pretty firm cutoff on PHP 5.3.7 or distros which have proper $2y support
Thanks,
Steve