Skip to content

Commit

Permalink
Accept older blowfish hashes.
Browse files Browse the repository at this point in the history 
Both `2a` and `2x` are valid types of blowfish hashes, that while being
older should be accepted.

Backport 00c94bd from 3.x to 2.5.x,
I see this as a bug fix as it fixes incompatibilities with hashes
created by hash_password().

Refs #3575
  • Loading branch information
@markstory
markstory committed May 29, 2014
1 parent bf9b8e1 commit 390441d
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion lib/Cake/Utility/Security.php
View file
Expand Up @@ -277,7 +277,12 @@ protected static function _crypt($password, $salt = false) {
$salt = vsprintf('$2a$%02d$%s', array(self::$hashCost, $salt));
}

if ($salt === true || strpos($salt, '$2a$') !== 0 || strlen($salt) < 29) {
$invalidCipher = (
strpos($salt, '$2y$') !== 0 &&
strpos($salt, '$2x$') !== 0 &&
strpos($salt, '$2a$') !== 0
);
if ($salt === true || $invalidCipher || strlen($salt) < 29) {
trigger_error(__d(
'cake_dev',
'Invalid salt: %s for %s Please visit http://www.php.net/crypt and read the appropriate section for building %s salts.',
Expand Down

0 comments on commit 390441d

Please sign in to comment.