? simply on principle. Joomla really needs to stop being in the habit of altering third party code, no matter what the purpose is.

generally, I agree unless the 3rd party code has been abandoned then we need to readdress.

Someone else could consider rewriting our implementation of phpass with this fork of Openwall/phpass https://github.com/hautelook/phpass which also fixes this issue.

That fork's out of the question.

1. PHP 5.6+
2. The maintainer is mildly stubborn and used a security vulnerability in another part of Symfony as an argument to say their entire framework (including feature polyfills) cannot be trusted.

Ok, we take that fork off the table. How should we handle the abandoned phpass code here?

Nothing's broken, nothing needs changed. That's my opinion. And I imagine it probably won't be bundled with Joomla 5 which will presumably be the first release that'll support PHP 8 when the PHP 4 constructors would most likely be removed. It's just a deprecation message, you get much worse if you're still running PHP 5.5 or 5.6 in certain configurations or heaven forbid try running Joomla 1.5 on PHP 5.4+.

I believe PHP 4 constructors will be removed in php 8 https://wiki.php.net/rfc/remove_php4_constructors

I personally dislike deprecation messages as on some server setups they clutter the server logs.

@mbabker what about changing to use https://github.com/rchouinard/phpass (also possibly abandoned, last commit is from 2014)

or forking phpass, fixing things to be php 5.3+ without deprecation messages, and bringing it back in as 3rdparty or a joomla lib?

We have so many deprecation messages that it is hard to spot the real messages, as far as I know we don't use the class and we ship it because of we have to. I would can the constructor in this case to get rid of one message

I'm closing as I'm in contact with @solardiz from openwall on getting a fix implemented and released in the official repo. I just need to redo my repo photodude\phpass to eliminate the style changes I implement.

Oh and I believe we do use this in the B/C password checks and trigger for rehashing passwords on php5.5+. It is also the password hashing for < php5.5.

I believe we do use this in the B/C password checks

Correct. For sites upgrading from 2.5.18-ish (I forget if it was 18, 19, or 20 the changes actually landed in) through 2.5.28 or 3.2.1 through 3.2.7 their user accounts will have PHPass hashes.

Last update I was told maybe at the end of April or beginning of May the update to phpass will happen. see https://twitter.com/solardiz/status/846401398958903297

Thanks for the reminder. I did recall it recently as well. With luck, I might get to it in another month.

Here is the PR with the new version #15704