View Issue Details

IDProjectCategoryView StatusLast Update
0017569phplist applicationInstallationpublic06-07-15 18:04
Reporterduncanc 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.0.10 
Target Version3.0.XFixed in Version3.2.0 
Summary0017569: Small config.php and extended config.php use different hash algorithms
DescriptionWhen trying to track a problem by switching between using the short config.php and the full config.php I found that I could not login as admin.

On investigation it appears that when you use the short config.php then phplist uses md5 as the hashing algorithm. Whereas the full config file explicitly states sha256 as the algorithm. So switching between them is going to be a problem.

This code in init.php line 191 sets the algorithm when both ENCRYPTPASSWORD and ENCRYPTION_ALGO are not defined, which is the case when using the small config file.

if (!defined("ENCRYPTPASSWORD")) {
  ## old method to encrypt, used to be with md5, keep like this for backward compat.
  if (!defined('ENCRYPTION_ALGO')) {
    define('ENCRYPTION_ALGO','md5');
  }
# define("ENCRYPTPASSWORD",0);
}

But I don't understand why this block is present and what the comment about backward compatibility means. That has been dealt with by the preceding code at line 177.
TagsNo tags attached.

Activities

michiel

24-03-15 13:47

manager   ~0055982

ENCRYPTPASSWORD has been around longer than ENCRYPTION_ALGO

when ENCRYPTPASSWORD was there by itself, the hash was md5
then when ENCRYPTION_ALGO was introduced, this was defaulted to sha256 unless ENCRYPTPASSWORD was set.

But then later on the config file was reduced to make it simpler.

I guess it will depend on the history of the config file. Some of them go back many years.

Hmm, I'm not entirely sure how to resolve this. If someone has a config with ENCRYPTPASSWORD and therefore uses md5, if I default this now to sha256 things will stop working.

Probably adding the ENCRYPTION_ALGO to the small config will solve it for new installs, by setting it to sha256 there.

michiel

24-03-15 13:51

manager   ~0055983

added to config.php