Page MenuHomeFreeBSD

Build PHP hash and session modules by default
Needs RevisionPublic

Authored by feld on Mar 29 2017, 12:20 PM.


Group Reviewers

There is a known bug affecting FreeBSD which causes a security setting
(session.hash_function) to always be set to md5 because we do not build
these modules into core php by default.

The result it is impossible to use a different session hash function on
FreeBSD. Any software expecting a better hash function does not get
correct results on FreeBSD.

Test Plan

build, test, run, upgrade

Diff Detail

rP FreeBSD ports repository
No Linters Available
No Unit Test Coverage
Build Status
Buildable 8360
Build 8630: arc lint + arc unit

Event Timeline

somehow www/node012 leaked into this diff... fixed my tree, re-submitted.

Hello feld,

thanks for working on this. It slips steadily under my focus and workload :/

I'm unsure about the change of PHP 7.1. Since the diff should solve PR 202591 its worth noticing, that the directive "session.hash_function" was removed in PHP 7.1. The change wouldn't be needed to get the security, but it would be consequent. So i'm in slight favor of your change.


Correct, php71 is getting the change for consistency only. Honestly, hash and session modules are so commonly used it should be of no consequence to include them.

antoine requested changes to this revision.Mar 29 2017, 1:35 PM
antoine added a subscriber: antoine.

The following lines look wrong:

hash_DEPENDS= lang/php${PHP_VER}

PHP_EXT_INC should be used instead.

This revision now requires changes to proceed.Mar 29 2017, 1:35 PM

Please notice: the hash module is gone in PHP 7.4. Its part of the core and can't be disabled anymore. You find details here: