On Sun, Jul 31, 2011 at 8:20 PM, Solar Designer <so...@openwall.com> wrote: > Pierre, > > Thanks for the prompt response. > > On Sun, Jul 31, 2011 at 12:12:48PM +0200, Pierre Joye wrote: >> On Sun, Jul 31, 2011 at 10:31 AM, Solar Designer <so...@openwall.com> wrote: >> > http://news.php.net/php.internals/54098 >> > >> > at least the crypt.c bugfix is a must to apply before releasing 5.3.7 >> > and 5.4.0. >> >> The patches are applied already, they are in 5.3.7RC4 and should be in >> 5.4.0a3 next week. > > The reason why I sent this reminder was precisely that I could not find > the patches in php5.3-201107310630 and php5.4-201107310630 (I downloaded > the -latest tarballs). Now I also downloaded php-5.3.7RC4.tar.bz2, and > indeed it does not have the patch either. > > ext/standard/crypt.c in php-5.3.7RC4 has: > > salt[2] == 'a' && > > which means that it doesn't support the new $2x$ and $2y$ prefixes. > > In 5.4, that check is totally ridiculous (weird mix of ANDs with OR): > > } else if ( > salt[0] == '$' && > salt[1] == '2' && > (salt[2] != 'a' && salt[2] != 'x') || > salt[3] == '$' && > salt[4] >= '0' && salt[4] <= '3' && > salt[5] >= '0' && salt[5] <= '9' && > salt[6] == '$') { > > Both were fixed by the patches I posted on July 19, but those patches > were not yet applied to these branches (as of yesterday). I did not > check trunk. > > Am I missing something?
It looks like your original patch did not change anything in crypt.c For the record here, that's the commit using your patches: http://svn.php.net/viewvc?view=revision&revision=313406 I see now the other patch posted on the 20th, I missed it and it indeed fixes the checks in crypt.c :) I will apply it shortly! Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
