Bug #6551 :: Secret key in conf.php not taken into account

Package home | Report new bug | New search | Development Roadmap

Status: Open | Feedback | All | Closed Since Version 0.16.14

Bug #6551	Secret key in conf.php not taken into account
Submitted:	2006-01-22 18:54 UTC
From:	goethals_d at hotmail dot com	Assigned:	lsmith
Status:	Closed	Package:	LiveUser
PHP Version:	5.0.4	OS:	WXP
Roadmaps:	(Not assigned)
Subscription	Your email:

Comments Add Comment Add patch

[2006-01-22 18:54 UTC] goethals_d at hotmail dot com

Description:
------------
Set encryption mode to RC4 in configuration file.
If the secret key is set to 'test', I can login. If I modify the secret key to 'word' without changing the DB contents, I can still login.
Note that the password encrypted with LiveUser::Crypt_RC4 or the password encrypted with PEAR::Crypt_RC4 using the same secret key do not match.

Test script:
---------------
conf.php
        ...
        'authContainers' => array(
            array(
                'type'          => 'MDB2',
                'expireTime'    => 3600, 
                'idleTime'      => 1800, 
                'allowDuplicateHandles' => 0,
                'allowEmptyPasswords'   => 0, 
                'passwordEncryptionMode'=> 'RC4',
                'secret'        => 'test',
        ...

Comments

[2006-01-23 12:29 UTC] lsmith

This bug has been fixed in CVS.

If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET).

If this was a problem with the pear.php.net website, the change should be live shortly.

Otherwise, the fix will appear in the package's next release.

Thank you for the report and for helping us make PEAR better.

There was an error in the way the $secret property was defined.