Accept older blowfish hashes.

Both `2a` and `2x` are valid types of blowfish hashes, that while being
older should be accepted.

Backport 00c94bd from 3.x to 2.5.x,
I see this as a bug fix as it fixes incompatibilities with hashes
created by hash_password().

Refs #3575

Author: markstory

lib/Cake/Utility/Security.php

@@ -277,7 +277,12 @@ protected static function _crypt($password, $salt = false) {
 			$salt = vsprintf('$2a$%02d$%s', array(self::$hashCost, $salt));
 		}
 
-		if ($salt === true || strpos($salt, '$2a$') !== 0 || strlen($salt) < 29) {
+		$invalidCipher = (
+			strpos($salt, '$2y$') !== 0 &&
+			strpos($salt, '$2x$') !== 0 &&
+			strpos($salt, '$2a$') !== 0
+		);
+		if ($salt === true || $invalidCipher || strlen($salt) < 29) {
 			trigger_error(__d(
 				'cake_dev',
 				'Invalid salt: %s for %s Please visit http://www.php.net/crypt and read the appropriate section for building %s salts.',