Comments (9)
Please do not try this in a production environment.
Movim upgraded to 0.24 and the same Bcrypt error message is still seen at login.
I edited line 157 of the app/Session.php
to make the following change:
public static function hashSession(string $username, string $password, string $host): string
{
// return $username . "\0" . $password . "\0" . $host;
return $username . "\e" . $password . "\e" . $host;
}
Finally, the bcrypt error message was not seen again. Login behavior returns to normal. I don't know if it increases the security risk. It works for me.
When we upgrade PHP to 8.2.18, PHP no longer allows us to use "\0" for the session hash.
I don't know why the '|' was replaced. Isn't that a '|' confusing? The user can set the $password , $password might have a "|" , so we don't use '|' ? What is the function of the "|" symbol? Is it just a separator? If the character is just to make the code easier to read, we can use other characters. Why did edhelas choose "\0" instead of other characters in 69c2280 ? Can someone teach me? I am not that familiar with php.
I actually don't know how to fix [#1147 ]. According to the description on the PHP manual, a random salt will be generated by password_hash() for each string hashed. We only need to upgrade the php version to above 8.0. The threat mentioned in #1147 no longer exists, even if we have not change the movim code at all.
from movim.
In app/Session.php
:
public static function hashSession(string $username, string $password, string $host): string
{
return $username . "\0" . $password . "\0" . $host;
}
Frankly, this should have been a 0.24 blocker 👀
from movim.
I am not that familiar with php. Is there an issue with reverting 69c2280 ?
from movim.
Ditto.
I did a git pull on movim last weekend.
[2024-04-19T14:29:30.596724+00:00] movim.ERROR: Bcrypt password must not contain null character
Ubuntu 22.04.4 LTS
nginx version: nginx/1.18.0 (Ubuntu)
PHP 8.3.6 (cli) (built: Apr 11 2024 20:23:38) (NTS)
My instance was running fine until I upgraded my php and did a machine reboot.
There are other users within the Movim MUC that are having the issue as well.
from movim.
I have the same Bcrypt error message at login
Running Debian 12 Stable with nginx, postgres and PHP current versions.
from movim.
Seems to be the change: https://fossies.org/diffs/php/8.2.17_vs_8.2.18/ext/standard/password.c-diff.html
I am still on 8.2.17 on Fedora 38 and the issue is not happening (yet).
from movim.
I have the same Bcrypt error message at login. Manually downgraded php version does not fix errors.
Movim: v0.22.5
OS: Linux version 6.1.0-20-amd64 ([email protected]) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11)
Nginx: 1.22.1-9
PHP: 8.2.18-1~deb12u1
PostgreSQL: 15+248
from movim.
Frankly, this should have been a 0.24 blocker
👍
from movim.
I've been asked to report my setup here, for I also reproduce this bug.
OS: Archlinux
Web Server: Apache httpd 2.4.59
PHP: 8.3.6
MariaDB: 11.3.2
P.S. Tried @pic2debug solution - worked like a charm
from movim.
Related Issues (20)
- Dark-mode for public blog pages?
- Font icon issue on login page HOT 3
- Support for XEP-0393 preformatted text HOT 4
- Support for message display syncronisation XEP-0490
- OMEMO Encryption error in chatrooms HOT 3
- CSS: Add `padding-right` to element `img` HOT 1
- HTML: Display media type and filesize of attachments HOT 2
- HTML: Add `rel="nofollow noopener noreferrer"` to links. HOT 1
- XSLT stylesheet for Atom feeds HOT 1
- Do not enable download prompt for Atom feeds HOT 1
- Movim as CMS
- OMEMO encrypted images in chats not shown inline, presented as downloadable files instead HOT 3
- Picture: images with & in URL are broken
- Migrations failing on fresh install in fresh db in mariaDB Almalinux 9 HOT 8
- GUI of the option dialog of a chatroom is missleading HOT 7
- Private chats not showing any messages between @movim.eu contacts HOT 5
- Missing notifications and new messages previews in the contact list HOT 5
- ejabberd crashes when clicking on user page's configuration
- 1:1 chat read marker from other clients only reduces the notification count by one
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from movim.