New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE 2017-8081 #1224
Comments
|
There are a couple options from what I've seen, but they aren't as drag & drop as I'd hoped.
Thoughts? |
|
An alternative would be to branch on version, with 5.3+ getting the secure version, and 5.2 staying as is (idk how many users use the hotfix, but are on php v5.2). |
|
wrap a more secure option in a 5.2 fallback to whatever random is best for that version probably just use I see notes about this being a problem on windows (slowww) in comments and that it was not crypto secure until bugfixed 5.5? min php version wont be changed in minor version, I think alot of crappy hosts are just now getting php up to date, there might be some still on 5.2 |
|
pr #1226 |
|
|
Perhaps it would be better using |
|
I already commited, but the site went 502 again so i cant post |
|
generate_salt unnecessarily weak.
we allow custom salt and it has no problems being longer than 22 chars so i have no idea where this restriction came from. Do not see any breakage from removing it.
refs
#880
#931
The text was updated successfully, but these errors were encountered: