|
Posted by Richard Lynch on 04/01/05 10:05
On Thu, March 31, 2005 1:06 pm, Chris Francy said:
> I am hoping someone can point me in the right direction to resolving an
> odd
> bug. I tried searching the bugs database and groups, but I can't think of
> the terms to use while searching for my problem that the search system
> will
> accept.
>
> I have a script like the below, copied from the crypt manual page
> ---
> <?php if (CRYPT_MD5 == 1) { var_dump(crypt('rasmuslerdorf',
> '$1$rasmusle$')); } ?>
> ---
>
> On my main web server, which is running php 4.3.10 with apache this script
> produces the following when I view the page on the web
> ---
> string(13) "$1Hat1hn6A1pw"
> ---
>
> When I run the script from the command line [php test.php] on the exact
> same
> server I get
> ---
> string(34) "$1$rasmusle$rISCgZzpwk3UhDidwXvin0"
> ---
Here's what's happening:
When your Apache user runs this script, it is using whatsit encryption
(DES?) that uses the 2-character salt. Which is why it starts with '$1',
the first two characters of the salt you wanted to use.
When *YOU* run it, you're getting the whatsit encryption (Blowfish?) that
you actually wanted.
This has *NOTHING* to do with dollar signs, single quotes, or double quotes.
If you 'su' to the web user (if you have root and can do that) you'd
probably find the same behaviour from the command line.
Somehow, the Apache User is not able to find, or read, or execute,
whatever it takes to use Blowfish (or whatever it is you want) but it
*CAN* find, read, and execute the thingie to do DES (2-char salt).
So what you gotta look for is something that isn't $path-ed or chmod-ed
right for the Apache User to be able to find ($path) and read/execute
(chmod) permissions.
I don't really understand how the OS find/decides what encryption
algorithms and makes them available to applications/users, but that's
definitely the broken bit, for what that's worth.
--
Like Music?
http://l-i-e.com/artists.htm
[Back to original message]
|