[#8401] - Pull in Symfony's PHP 5.6 polyfill to consistently use hash_equals
- Closed
- 12 Nov 2015
- Medium
- Build: staging
- # 8401
- Diff
- mbabker:symfony-polyfill56
- Success Human Test Results: 2 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
This pull request introduces Symfony's new Polyfill libraries to the CMS code stack. This enables JCrypt:: timingSafeCompare() to always use the hash_equals() function and in older PHP versions where it isn't present it falls back to their polyfill library, which given the overall state of JCrypt I feel like is going to be better structured than our own method.
Full API additions
The 5.6 polyfill library supports backports for PHP's native hash_equals() and ldap_escape() functions. The util polyfill library introduces a class set with several binary-safe string functions.
Testing Instructions
The only user facing space that uses JCrypt:: timingSafeCompare() is in JUserHelper::verifyPassword() if a MD5 or SHA256 password hash are used. So for those looking to test this, you'd need to load an MD5 style hash from early 3.0 or 2.5 releases into your database and login with that. Preferably with a PHP 5.5 or earlier system.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Labels |
Added:
?
|
||
Why?
Well we don't merge any of the unit test related stuff in all our other packages and also I don't want people who don't understand what they are talking about moaning that there are more uses of eval in our code base.
Unless I'm missing something very obvious?
By that argument the IDNA Convert library needs to be removed since it uses eval().
I have tested this item 
successfully on 611ab24
I have set the password to 433903e0a9d6a712e00251e44d29bf87:UJ0b9J5fufL3FKfCc0TLsYJBh2PFULvT (admin) and was able to login successfully.
This also worked with the new bcrypt style password.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8401.
I have tested this item successfully on 611ab24
Oops i missed to record my result here. I have unsed also a md5 hash from the recovery doc page. Login works and after login we get the new pw hash to te database.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8401.
| Milestone |
Added: |
||
| Status | Pending | ⇒ | Ready to Commit |
| Milestone |
Added: |
||
RTC Thanks
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/8401.
| Labels |
Added:
?
|
||
| Status | Ready to Commit | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-11-12 19:26:46 |
| Closed_By | ⇒ | wilsonge |
| Labels |
Removed:
?
|
||
Code reviewed 
for our purpose.
(very minor, and theoretical (*), remark for upstream Polyfill library: their timing-safe compare could be a bit better at not returning early here: https://github.com/joomla/joomla-cms/pull/8401/files#diff-56df8bbdf01e1f6f975adf7510726cceR41 . That is resolved in a better way in our old code here https://github.com/joomla/joomla-cms/pull/8401/files#diff-e44d04c7be61f714f3e044b49a4781b0L143 )
- Note: I bet that given all the other processes running on a web server, no one would be able to perform a meaningful timing analysis on a single string compare in practice, Therefore my theoretical adjective above
Can we remove the test listener file please :)