PHP version requirement #10
Comments
|
I too would like the requirement dropped. The situation with Debian is a little different than @tpetry mentions. Debian has backported the fixes to PHP 5.3.3-7+squeeze4 (the current version in Debian is +squeeze-14). That said, PHP 5.3.3 works with this library. Please drop the requirement from your composer.json. |
|
Indeed. Server-oriented distros will tend to backport fixes, which makes simple version checks like this useless. |
|
@tpetry, I believe that 5.3.7 is required not due to the bug in crypt, but rather due to the information provided at http://php.net/security/crypt_blowfish.php. |
|
@adduc Debian has backported all of that to it's PHP 5.3.3 version, including the new |
|
In that case I support the removal of the version check too. If we want to test something, then we should test the existence of But maybe we should just let the application implement this check. @ircmaxell What's your opinion on this issue? |
|
Ok, so I've been thinking about this for a while, and here's my stance: Running Requiring 5.3 won't work, because That leaves us with a bit of an issue. An issue that's directly attributable to the screwed up release processes of Debian. And yes, I call them screwed up because the second that they back ported a fix, the version ceased to be 5.3.3, and became their own branch. So calling it 5.3.3 is a huge misnomer. But that's besides this point. I'm at a bit of a loss on to how to fix this. On one hand, removing the requirement would open significant issues for people which wouldn't be obvious (they install it on a non-debian 5.3.3). On the other, leaving it as is disables the library for debian users... So there's no really good solution that I can implement from my end. Thoughts? |
|
My solution would be staying as compatible with old php versions as possible. I would only throw an exception while hashing when the crypt bug has been detected. This would make the api incompatible but would prevent horrible security problems. |
|
How about ignoring the PHP version requirement entirely, and checking the result of |
|
Bonus points: make the triggered error message clear that it is due to an incompatible implementation of |
|
IOW, duck-typing FTW. |
|
It's not just Debian, other long term support distros also backport (I would imagine CentOS/RHEL has the same issue, being officially pegged to 5.3.3 in release 6.3). One option might be having users set a constant to signal that they don't wish to run the version check. Something like PASSWORD_COMPAT_NO_CHECK, and maybe offer a small test script to verify if their install of PHP has the vulnerable version of crypt_bcrypt? |
|
Here's what I'm thinking: Remove the check at runtime completely. Leave the check in composer though... I could theoretically create an installer for composer which would throw an exception if it's not supported on install... But that's not great either (there would be more code in the installer than the library itself)... thoughts? |
|
@ircmaxell For argument's sake... what's the value in putting a hard PHP requirement into Composer rather than just documenting "dude, this don't work in PHP version X.Y.Z"? If someone installs this library on 5.3.5, say, what exactly is the problem? Is it just "avoiding 5.3.7" that is the goal? |
|
@Crell: the issue is that it won't work in regular 5.3 at all. The |
|
Is there a specific call to crypt that would be different between < 5.3.7 vs > 5.3.7 to identify whether the $2y would be supported? EDIT: Nevermind, read @gergoerdosi's comment earlier and tested it in 5.3.3 and 5.3.18 (only versions available to me at the moment) with two separate outputs consistent to what he was mentioning. |
|
@adduc Actually, that's a good point. I just tried this on 3v4l, and it looks like it might work... http://3v4l.org/8ugqB#tabs On good versions, it throws the On bad versions, it treats it as a DES based hash, and runs a fast hash. |
|
I still don't understand why you can't remove the version requirement and instead, just do: This eliminates the "the version number is a lie" problem, and eliminates the "don't waste CPU cycles checking for compatibility when the library is sourced" issue, and this blows up as it should on incompatible systems so that users won't silently think everything's working when it's not. |
|
I'm not exactly well-versed in GitHub (or Git in general), but I was able to make a few repos for testing an installer class for this library. The forked version of this repo with a fixed composer.json is at https://github.com/Adduc/password_compat, a version of the installer at https://github.com/Adduc/password_compat_installer, and a sample repo testing out the functionality at https://github.com/Adduc/password_compat_use |
|
My thinking is along the lines of what dossy is suggesting. Basically, rather than version number detection in Composer, do feature detection in PHP. You can download the library, but if you try to run it on a known-broken system (or on a not-known-good system) it fails hard with an Exception. Not quite as nice as not letting you download it in the first place and getting your hopes up, but more accurate about when it will work. |
|
I agree with Crell. That also solves a potential problem where people use Composer to download this library on a machine with a good PHP version, but rsync or push all their code to a machine with a bad PHP version. The runtime detection (as opposed to install time detection) would warn the user about the issue. |
|
I just pushed 1.0.0, and in it I removed the run-time version check and the composer dependency. Run |
|
I'm re-opening this, as I just ran a test against 5.3.3-debian on Squeeze (6.0.7), and it failed. It appears that If anyone can elaborate as to how it possibly could have worked, I'm all ears. The If not, I am going to re-instate the version check, as there isn't a way to actually run it under 5.3.3-debian... |
|
I see at:
Please excuse my lack of expert knowledge in this area, but is there scope to use |
|
We run PHP 5.3.3-7+squeeze14 with Suhosin-Patch on Debian and have the same problem ( I made an API breaking change to the library to accomodate this, adding a new constant |
|
@phindmarsh and @mvl22 My main concern here is that providing support to And I don't think it should be the role of a security library to compromise security for pretty much any reason... |
|
@ircmaxell agreed, I knew the implications of my changes so was happy to do so. My circumstances dictate that I can't update my php version at the moment, however when that changes I'll be reverting back to the original library. From my (limited) understanding the Debian philosophy is to not introduce any new functionality in a security patch, hence why I assume the 2y prefix was not backported with the fix. I agree this is a dangerous edge case to leverage and I don't think it's the purpose of this library to accommodate that. As you said, education is a better solution here. |
|
Just to throw in a little... ...additional impetus to this issue, the Debian Version 6.0 with backports from dot-deb seems to have halted at: I believe this may render the library completely incompatible... ...would be nice if there were a way around that? Admittedly, 6.0 is now just beyond it's support period as well, but I expect it's very prevalent on servers on the web. |
|
Even though Debian didn't backported the $always_flawed = crypt('password_with_utf8_éèçù', '$2x$04$0123456789012345678901$');
$maybe_flawed = crypt('password_with_utf8_éèçù', '$2a$04$0123456789012345678901$');
if($maybe_flawed === $always_flawed) {
trigger_error('flawed $2a$');
}However, this would only work for debian 5.3.3 packages, as |
|
|
I think a IMHO having a security vulnerability before It is better to inform users of this library in any way possible they might be affected. If users know their distribution of PHP is fixed then they could install the library by just copying the file, adding a submodule or whatever. It is not OK to leave this out only because a part of the users may not be affected. Constraints are always better when it comes to security. |
|
By the way, Debian moved to 5.4.x |
You've stated that at least PHP 5.3.8 is needed because in PHP 5.3.7 has been a bug in crypt (#55439). But this bug has been introduced in PHP 5.3.7 and is fixed in PHP 5.3.8. The correct PHP version requirement would be to allow all PHP 5.3 versions except 5.3.7.
Setting this more correct version requirement makes it possible to use your PHP implementation of the PHP 5.5 password library with more PHP installations. Debian for example has PHP 5.3.3 and any installation with php of debian repo wouldn't be able to use the library.
The text was updated successfully, but these errors were encountered: