17488 Posts in 4473 Topics by 1978 members
|
Page:
1
|
Go to End | |
| Author | Topic: | 1364 Views |
-
sapphire/security/Security.php hash security issue
3 November 2008 at 2:16am
I have stumbled over a design flaw of the internal encrypted password store. When I changed the way to build php - in particular I added "-fstack-protector" to the compiler options - my passwords did no more match and I could no more log into any of my SilverStripe projects. I tracked down the issue to sapphire/security/Security.php line 794:
$password = substr(base_convert($password, 16, 36), 0, 64);
The php-manual says: "base_convert() may lose precision on large numbers due to properties related to the internal "double" or "float" type used." So only around 10 characters of that 64 character string really are computed from the hash! The rest is some random data from the stack. Therefore the new compiler option crashed the password database. How can I fix this?
-
Re: sapphire/security/Security.php hash security issue
3 November 2008 at 6:07pm
You might want to post this issue as the ticket on open.silverstripe.com as an issue. You could change it yourself by removing the base_convert() but I have no idea what its going to break
| 1364 Views | ||
|
Page:
1
|
Go to Top |
