From dd865c4c6604d037f6293807f0f822838ffefd13 Mon Sep 17 00:00:00 2001
From: Max-Julian Pogner <max-julian@pogner.at>
Date: Sat, 8 Apr 2017 20:54:45 +0200
Subject: [PATCH] PassHash.class.php: in case of brcrypt, use the most recent
 variant $2y$

This change breaks compatibility with php 5.3.7, but a standing
requirement for at least php 5.6 is declared in composer.json.

If the php documentation is to be believed, this change increases
security against pass-the-hash type attacks. (I do not have the knowledge
to assess the security differences between $2a$ and $2y$).

As a Sidenote: htpasswd shipped with apache2 2.4.10 (and probably,
other versions), when used with the -B (=bcrypt) option, produces hashes
marked with $2y$.

Nonewithstanding the actual support or non-support of $2a$ by the
apache2 'AuthUserFile' directive, the apache 2.4 documentation only
asserts support for the $2y$ bcrypt variant.
Therefore, this commit would make it possible for dokuwiki and apache2
basic authentication to share the same password file, in the case when
bcrypt is used.
---
 inc/PassHash.class.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inc/PassHash.class.php b/inc/PassHash.class.php
index 7ef068799..d24cc75e5 100644
--- a/inc/PassHash.class.php
+++ b/inc/PassHash.class.php
@@ -537,7 +537,7 @@ class PassHash {
 
         if(is_null($salt)) {
             if($compute < 4 || $compute > 31) $compute = 8;
-            $salt = '$2a$'.str_pad($compute, 2, '0', STR_PAD_LEFT).'$'.
+            $salt = '$2y$'.str_pad($compute, 2, '0', STR_PAD_LEFT).'$'.
                 $this->gen_salt(22);
         }
 
-- 
GitLab