Page MenuHomeFreeBSD

Build PHP hash and session modules by default
Needs RevisionPublic

Authored by feld on Mar 29 2017, 12:20 PM.

Details

Reviewers
tz
ale
antoine
Group Reviewers
portmgr
Summary

There is a known bug affecting FreeBSD which causes a security setting
(session.hash_function) to always be set to md5 because we do not build
these modules into core php by default.

The result it is impossible to use a different session hash function on
FreeBSD. Any software expecting a better hash function does not get
correct results on FreeBSD.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=202591

Test Plan

build, test, run, upgrade

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 8360
Build 8630: arc lint + arc unit

Event Timeline

feld created this revision.Mar 29 2017, 12:20 PM
feld updated this revision to Diff 26765.Mar 29 2017, 12:22 PM

somehow www/node012 leaked into this diff... fixed my tree, re-submitted.

tz accepted this revision.Mar 29 2017, 12:38 PM

Hello feld,

thanks for working on this. It slips steadily under my focus and workload :/

I'm unsure about the change of PHP 7.1. Since the diff should solve PR 202591 its worth noticing, that the directive "session.hash_function" was removed in PHP 7.1. The change wouldn't be needed to get the security, but it would be consequent. So i'm in slight favor of your change.

Greetings,
Torsten

feld added a comment.Mar 29 2017, 1:01 PM

Correct, php71 is getting the change for consistency only. Honestly, hash and session modules are so commonly used it should be of no consequence to include them.

antoine requested changes to this revision.Mar 29 2017, 1:35 PM
antoine added a subscriber: antoine.

The following lines look wrong:

hash_DEPENDS= lang/php${PHP_VER}
session_DEPENDS=lang/php${PHP_VER}

PHP_EXT_INC should be used instead.

This revision now requires changes to proceed.Mar 29 2017, 1:35 PM
tz added a comment.Sep 16 2019, 8:00 PM

Please notice: the hash module is gone in PHP 7.4. Its part of the core and can't be disabled anymore. You find details here:
https://reviews.freebsd.org/D21349