Accept older blowfish hashes.

Both `2a` and `2x` are valid types of blowfish hashes, that while being older should be accepted.
cakephp · May 27, 2014 · 00c94bd · 00c94bd
1 parent e5b73bd
commit 00c94bd
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/Utility/Security.php b/src/Utility/Security.php
@@ -212,7 +212,12 @@ protected static function _crypt($password, $salt = false) {
 			$salt = vsprintf('$2y$%02d$%s', array(static::$hashCost, $salt));
 		}
 
-		if ($salt === true || strpos($salt, '$2y$') !== 0 || strlen($salt) < 29) {
+		$invalidCipher = (
+			strpos($salt, '$2y$') !== 0 &&
+			strpos($salt, '$2x$') !== 0 &&
+			strpos($salt, '$2a$') !== 0
+		);
+		if ($salt === true || $invalidCipher || strlen($salt) < 29) {
 			throw new Exception(sprintf(
 				'Invalid salt: %s for blowfish Please visit http://www.php.net/crypt and read the appropriate section for building blowfish salts.',
 				$salt