Last modified: 2014-07-30 20:51:40 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T70389, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 68389 - MD5 is obsolete
MD5 is obsolete
Status: RESOLVED DUPLICATE of bug 28419
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Unprioritized normal (vote)
: 1.24.0 release
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-22 18:24 UTC by scott
Modified: 2014-07-30 20:51 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Changes includes/User.php (1.80 KB, text/x-c)
2014-07-22 18:24 UTC, scott 		Details
Small corrections (2.11 KB, patch)
2014-07-22 18:31 UTC, scott 		Details
Add an attachment (proposed patch, testcase, etc.)

Description scott 2014-07-22 18:24:11 UTC 
Created attachment 16000 [details]
Changes includes/User.php

Using md5() for passwords is risky. I've attached a backwards compatible patch to support password_hash() and password_verify().
Comment 1 scott 2014-07-22 18:31:17 UTC 
Created attachment 16001 [details]
Small corrections
Comment 2 scott 2014-07-22 18:32:31 UTC 
I'm submitting the patches here instead of git because:

$ git push
Username for 'https://gerrit.wikimedia.org': scott@arciszewski.me
Password for 'https://scott@arciszewski.me@gerrit.wikimedia.org':
fatal: Authentication failed for 'https://gerrit.wikimedia.org/r/p/mediawiki/cor
e.git/'
Comment 3 Chris Steipp 2014-07-22 18:53:53 UTC 
Hi Scott,

The discussion about this has been going on for a long time, and should be resolved with Gerrit change #77645. There was more acceptance of pbkdf2 instead of bcrypt, but bcrypt is an easy option to configure.

Thanks for being eager to contribute! You need to use your gerrit username instead of your email address when you submit the patch. You can also use https://tools.wmflabs.org/gerrit-patch-uploader/.

*** This bug has been marked as a duplicate of bug 28419 ***
Comment 4 scott 2014-07-22 18:55:21 UTC 
Whoops, a search for MD5 didn't return any results. I'm not sure why. :(
Comment 5 Matthew Flaschen 2014-07-30 20:51:40 UTC 
Scott, for future patches, there are instructions for getting started with Gerrit at https://www.mediawiki.org/wiki/Gerrit/Getting_started
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links