01421: crypt() deprecated, but still in pmwiki.php core

Summary: crypt() deprecated, but still in pmwiki.php core
Created: 2017-09-30 07:37
Status: Closed
Category: PHP Compatibility
From: XES
Assigned:
Priority: 4
Version: 2.2.102
OS: PHP 7.0.19-1 / Apache 2.4.25 / Debian 9 Stretch

Description: crypt() is deprecated.

Apache error log reports:

PHP Deprecated:  crypt(): Supplied salt is not valid for DES. Possible bug in provided salt format. \
            in /home/www/wikifarm/pmwiki/pmwiki.php on line 489

Associated pmwiki.php lines containing crypt(): 489 & 492

function pmcrypt($str, $salt=null) {
  if (!is_null($salt)) return crypt($str, $salt);
  if (function_exists('password_hash'))
    return password_hash($str, PASSWORD_DEFAULT);
  return crypt($str);
}

XES September 30, 2017, at 07:37 AM


It may want the salt changed/updated, because the only warnings I see for the error message are PHP 5.6.5+:

5.6.5
When the failure string "*0" is given as the salt, "*1" will now be returned for consistency with other crypt implementations. Prior to this version, PHP 5.6 would incorrectly return a DES hash.

http://php.net/manual/en/function.crypt.php XES September 30, 2017, at 07:48 AM

Also possibly related hash_equals() for password matches PHP 5.6+. http://php.net/manual/en/function.hash-equals.php

I don't see any information that crypt() will become deprecated. Just PHP gets more and more inflexible about what can be passed as argument (like with htmlspecalchars, class declaration, preg_replace...). PmWiki for years relied on, and had documented or included, the use of $DefaultPasswords['admin'] = '*'; because it was allowed and worked fine: you can never have an actual password hash that is "*" so this effectively locked the password until the administrator updates the script files. Same for a few page files where the attributes passwdread= and/or passwdedit= were set to "*" (Site.AuthUser, SiteAdmin.GroupAttributes). If you see that message then it is likely that some of your php scripts contain $DefaultPasswords['something'] = '*';, or some of your farm or field wikilib.d and/or wiki.d files contain passwdsomething=*. In all these cases replace the star * with @lock.

I've documented these over the years every time I had to update PmWiki, but unfortunately existing local scripts and page files need to be updated by the administrator. --Petko September 30, 2017, at 10:05 AM

Found, thank you: To document the fix: There was 1 line in an old wiki.d file in the offending wiki:

wiki.d/PmWiki.GroupAttributes:6:passwdattr=*

To find ran bash command:

egrep -rn 'passwd' wiki.d/*

Also may be helpful to document additional commands that can be run from the pmwiki directory to find similar issues:

egrep -rn 'DefaultPasswords' cookbook/*
egrep -rn 'DefaultPasswords' local/*
egrep -rn 'DefaultPasswords' pub/*

I'll close the issue. Thank you. Not sure why it threw a "Deprecated" notification.

XES October 01, 2017, at 12:48 PM