Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

How to bypass current bug with security->hash on Windows?

In Phalcon 1.3.2 the security->hash is not working as you can see in this discussion on GitHub: https://github.com/phalcon/cphalcon/issues/2277

My question is how to use only php to simulate e.g. this: $hash = $this->security->hash("something");

so, I can use this hack until the issue is resolved in 1.3.3 version.

Any php guys here? My PHP is 5.4.16, therefore I cannot use password_hash()

btw. one guy compiled phalcon with the fix, https://github.com/WooDzu/cphalcon-windows/tree/master/1.3.3%20-%20ALPHA

but it's probably a 64-bit version and I need a 32-bit version or vice-versa. I need a compiled version that is approximately 2,5 MB big and not 2,7 MB big like the version of PhalconPHP 1.3.3 from this guy.



20.1k

Any idea how to solve this issue? I am stuck because I cannot create new users (hash their passwords). Any idea how to fix this bug?



15.7k
Accepted
answer
edited Jul '14

Hi!

I have made simple extension, but I use it only for developing on Windows! I have no production version yet.

namespace YourNs;

class Security extends \Phalcon\Security {

    public function hash($password,$workFactor = NULL){
        return md5($password);
    }

    public function checkHash($password, $passwordHash, $maxPasswordLength = NULL){

        if($passwordHash === md5($password)){
            return true;
        }

        return false;
    }

}

Inside config/services.php file:

$di->set('security', function(){

    $security = new \YourNs\Security();

    //Set the password hashing factor to 12 rounds
    $security->setWorkFactor(12);

    return $security;
}, true);


20.1k
edited Jul '14

Thanks a lot, could you please explain a little bit further how can I do:

$hash = $this->security->hash("something");

using your code? Or will it just work like that?

The first code is a component?

Could I place the second code in my bootstrap instead of config/security.php ?

Sorry for my questions, but I am a beginner.



15.7k

Works for my needs while developing. After the bug is issued, the only thing you will need to make is to change in services.php from \YourNs\Security() to \Phalcon\Security().



15.7k

Yes of course. Sorry, I have made mistake in my first post. It should be

Inside config/services.php file:

I have already edited it.



15.7k

Yes, first code is component. I put it in my library directory. You can use it the same as original Phalcon\Security.

Second code is a bootstrap file services.php :) Sorry for this typo in first topic.



20.1k
edited Jul '14

Now, it's working, but for some reason it's only 32 characters long. The result of Phalcon security->hash seems to be 61 charaqcters long in the previous versions. Any idea why?



15.7k

Phalcon hash use different algorithms, that is why it has more charaqcters.

My solution is stupid md5 function. Moreover it's completely not secure but it is only bypass for development purpose. I will never use it in my production version - the one I put online on server available for everyone.

So, in this situation it doesn't matter how many long the hash is. The most important is that hash() and checkHash() are using the same algorithms to generate and compare hashes.

Sory for my former replys being without any structure. :)



20.1k

Ok, thanks for the explanation. It seems taht both functions are working, so I can continue in development using Phalcon and hopefully the devs will release this 1.3.3 version including this security issue fixed for Windows. I will be using Linux on my production server, so I hope it will be working there OK, however, it's weird to deal with such security bugs when developing on Windows. anyway, Thank you, your posts helped me a lot and hopefully other beginners too.

In case someone is searching for a "real" replacement of the original Phalcon code, one can use my phalcon-php compatibility layer, which implements the Security class using the original algorithms of the version 1.2.6. To use the class with the C extension the namespace needs to be changed.

I personally do not use Windows, so in case the workaround does not work, I appreciate some feedback, which would also help the original project.

edited Nov '16

In case someone is searching for a "real" replacement of the original Phalcon code, one can use my phalcon-php compatibility layer, which implements the Security class using the original algorithms of the version 1.2.6. To use the class with the C extension the namespace needs to be changed.

Thanks Wenzel, it really helped me out.

Ok, thanks for the explanation. It seems taht both functions are working, so I can continue in development using Phalcon and hopefully the devs will release this 1.3.3 version including this security issue fixed for Windows. I will be using Linux on my production server, so I hope it will be working there OK, however, it's weird to deal with such security bugs when developing on Windows. anyway, Thank you, your posts helped me a lot and hopefully other beginners too.

I also have the same issue, but I found the solution from iseepassowrd ( https://www.iseepassword.com/, which is a site focus on Windows security issue.