[pmwiki-devel] PHP 5.6 crypt() without salt raises E_NOTICE

Petko Yotov 5ko at 5ko.fr
Fri Feb 28 07:24:29 CST 2014


Thanks for the suggestion. I think we'll have to use more than just digits  
to make the salt more random, and indeed, we cannot rely on system devices.

Something like this may work:

  function pmcrypt($pass, $salt=null) {
    if(is_null($salt)) { # create hash
      if(function_exists('password_hash')) # PHP 5.5+
        return crypt($pass, password_hash(PASSWORD_DEFAULT));
      else return crypt($pass);
    }
    else return crypt($pass, $salt);
  }

This relies on PHP features. Before PHP 5.5 it uses the default random hash  
creation internal to crypt(), like we use it now. Since PHP 5.5 it will use  
the password_hash() function which should return a sufficiently random hash  
compatible with the operating system.

Then we'll have to update the documentation about setting $DefaultPasswords  
in config.php: instead of crypt(), use pmcrypt().

Does anyone see a better way to do it? Pm?

Thanks,
Petko


Chris Knadle writes:
> On Saturday, February 15, 2014 20:58:28 Petko Yotov wrote:
> > Hello.
> >
> > There was a known bug in some PHP versions when crypt() is used without a
> > "salt" parameter, see http://www.pmwiki.org/wiki/PITS/01277 .
> >
> > This was a bug, but from PHP 5.6 on there will be a "feature", and using
> > crypt() without a salt will raise E_NOTICE. See http://php.net/crypt .
> >
> > We are using crypt() without a salt to create hashes from passwords.
> >
> > Does anyone have a suggestion how to implement a random enough salt
> > parameter?
>
> One suggestion I've seen for this is taking a long section of the value of Pi
> as a string, and using pieces of that as the salt.  Perhaps taking a long
> section as a string, and choosing a piece based on the local time?
>
> [I'm only suggesting this because I'm making the assumption that a local
> source of "good" randomness such as /dev/urandom is not available.  However
> from what I've read, what "good" randomness means even if this device exists
> differs depending on the system in question.]




More information about the pmwiki-devel mailing list