Opened 4 years ago
Closed 3 years ago
#51549 closed enhancement (fixed)
Update to phpass 0.5
Reported by: | ayeshrajans | Owned by: | desrosj |
---|---|---|---|
Milestone: | 5.8 | Priority: | normal |
Severity: | normal | Version: | |
Component: | External Libraries | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
WordPress currently uses PHPass library version 0.3.
This is over 10 years old now, and the latest version is 0.5. It doesn't dramatically improve the password hashing mechanism as it would have with a password_hash
migration. However, I believe updating 0.5 still brings some strict comparison improvements made in the new version.
https://www.openwall.com/phpass/
WordPress's copy of phpass was modified over time.
All changes need to be rebased to the version 0.5 as well.
(patch to follow)
Attachments (2)
Change History (9)
#3
@
4 years ago
- Milestone changed from Awaiting Review to 5.8
Requesting security feedback on this one so that we could move it forward.
#4
@
3 years ago
Thanks @ayeshrajans!
In the interest of keeping the library as consistent with the upstream library as possible, I think the first WP specific change could probably be omitted in the update. It looks like the PHP4 style constructor has been added to the official library and only the inline comment is different in WP now.
#6
@
3 years ago
- Keywords commit added; 2nd-opinion removed
- Status changed from assigned to reviewing
I've discussed with some other members of the security team, and this one seems like a fine update.
51549.diff is the same as @ayeshrajans's patch with one exception. I removed the inline comments for the two constructor functions to bring the WordPress copy of the library more inline with the upstream version. When that adjustment was made to Core, the PHP 5 type constructor was not included in the upstream library. Now that it is, I think it makes more sense to remove it in favor of consistency.
Only the last two modifications in your list above should now be relevant.
Updated to phpass 0.5 from upstream, and applied wp-specific customizations