Re: [openupload-devel] Issue with logging on + salting is wrong perhaps
Status: Beta
Brought to you by:
tsdogs
Menu
▾
▴
Re: [openupload-devel] Issue with logging on + salting is wrong perhaps
|
From: Alessandro B. <ts...@br...> - 2013-01-17 22:49:38
|
Il 2013-01-17 23:23 Ferry ha scritto: > Hi there, > > after installing openupload I couldn't log on. I've posted more > details > here: > > http://sourceforge.net/p/openupload/support-requests/149/ > > but the comments are awaiting moderation. > > Anyways it turns out the crypt function on my system (ubuntu 12.10 > 64-bit) returns 102 characters. The password field in mysql is a > varchar(100). The insert apparently continues, but it drops the last > 2 > characters. > > Could easily fix this by altering the password column to a > varchar(140) > and inserting the correct crypted password. > > On the PHP page for crypt I saw that crypt without a salt might > produce > unexpected results. This leads me to believe the current setup isn't > proper, as the end result is a crypted password salted by an unsalted > crypt of the same password (crypt($password,crypt($password))), the > left > crypt is salted, but the right one not. That's probably not the only > issue bugging this function as there's more downloads than users > complaining and I'd expect it to work on your system as well. Which > would mean crypt doesn't always return the same amount of characters > either, not with the current code anyways. > > It might be better to just store a random string as salt in the > database and just concatenate and md5/sha1/sha256/etc that (or > perhaps > multiple for the paranoid) as this would be more portable I think. If > crypt differs from machine to machine, moving a setup to another > machine > or upgrading might get one into trouble. > > Now I'm not a dev. I have a somewhat basic understanding of SQL and > programming languages, but I never code. I might be utterly wrong on > the > crypt stuff. > Yes, thanks. I had digged this out before, and it's a "bug" introduced by newer versions of PHP. The solution would be to generate a salt on every new password, and enlarging the password field. I haven't had much time to work on openupload and fix a few annoying bugs that are still there. Alessandro |
