If in php.ini, session.hash_function is set to sha256 and php56-session and php56-hash are installed, the SHA-256 hash function should be used for session cookies. However, this does not work leaving the user with only MD5 and SHA-1 choices and defaulting to MD5. According to https://bugs.php.net/bug.php?id=65315, php56-session should be build with --enable-hash and the port should probably runtime-require the php56-hash port, if the hash functions are not linked into the session module.
Adding ports-secteam, tz@ and myself to this. This is a serious problem with our PHP packaging.
This is still a thing. It seems like hash and session support needs to be built into php core to make this feature work. In our current setup the session hash function always falls back to md5. The following warning is generated with an attempt to change it to sha512 (even though hash_algos() lists is as a valid hash function): Warning: ini_set(): session.configuration 'session.hash_function' must be existing hash function. sha512 does not exist. Some additional background can be found at https://bugs.php.net/bug.php?id=53789
For me it seems to make most sense if we add the hash-module as runtime dependency for the session-module. We can make it an defaulted option thought some people don't want this binding. Your opinions?
tz@ I don't know how that would help? I have installed and loaded both session and hash extensions and it still doesnt work. The problem seems that it has to be compiled into the core php :/
Now i understand the problem more clearly, thanks for the pointer! After giving this some more thoughts: i don't see why we shouldn't ship the default modules of PHP with lang/php56 (70 and 71). At the beginning i was always baffled when i needed to install sessions or other modules which should be there by default. But it is a little bit hard to convert the existing infrastructure. We need to enable the default modules by default, remove the no longer needed modules from the portstree and update various ports. So we should be very strong about that it solves the issue. I would support the idea just because its a security issue. I can't to any work this week. I'm on the bare minimum because of illness. So if somebody would take the start i will join in next week!
(In reply to Torsten Zuehlsdorff from comment #5) I'm not sure it would be so difficult. We would remove the ports for these modules, update the main php port to include them in the build, update MOVED, and then alter Mk/Uses/php.mk to have these modules point back to the main php port. This still allows expression of USE_PHP=sessions and have it "just work".
any further thoughts on this, tz@?
php*-session could depend on php*-hash, but keep in mind that php*-session are loaded before everything else, php*-hash would need to be loaded even earlier.
I don't understand what you mean. If we compile php-session and php-hash into the main php binary there isn't a loading order issue to sort out, is there? Unless I'm forgetting something about how PHP handles extensions...
@feld - thanks for popping up the PR! Your suggestion seems fine to me. But elaborate the suggestion of mat a little more and make session depending on hash: wouldn't it be a solution to change the module load order? Currently i see: ls -lah /usr/local/etc/php/ total 188 drwxr-xr-x 2 root wheel 40B 22 Dez. 18:04 . drwxr-xr-x 42 root wheel 88B 12 Jan. 13:10 .. -rw-r--r-- 1 root wheel 26B 14 Dez. 13:28 ext-10-opcache.ini -rw-r--r-- 1 root wheel 21B 14 Dez. 12:31 ext-18-session.ini [..] -rw-r--r-- 1 root wheel 18B 14 Dez. 13:05 ext-20-hash.ini What if we change ext-20-hash.ini to ext-17-hash.ini and create the dependency? Wouldn't this solve the problem and isn't less invasive?
(In reply to Torsten Zuehlsdorff from comment #10) I tried this approach, it didn't help: $ mv ext-20-hash.ini ext-17-hash.ini $ service apache24 restart $ cat /var/log/apache/php.log [12-Jan-2017 22:57:37 UTC] PHP Warning: PHP Startup: session.configuration 'session.hash_function' must be existing hash function. sha256 does not exist. in Unknown on line 0 $ pkg info | grep php mod_php56-5.6.29 PHP Scripting Language php56-5.6.29 PHP Scripting Language php56-ctype-5.6.29 The ctype shared extension for php php56-dom-5.6.29 The dom shared extension for php php56-hash-5.6.29 The hash shared extension for php php56-iconv-5.6.29 The iconv shared extension for php php56-json-5.6.29 The json shared extension for php php56-mbstring-5.6.29 The mbstring shared extension for php php56-mysqli-5.6.29 The mysqli shared extension for php php56-openssl-5.6.29 The openssl shared extension for php php56-readline-5.6.29 The readline shared extension for php php56-session-5.6.29 The session shared extension for php php56-sockets-5.6.29 The sockets shared extension for php php56-xml-5.6.29 The xml shared extension for php php56-xmlreader-5.6.29 The xmlreader shared extension for php php56-zlib-5.6.29 The zlib shared extension for php on a custom build PHP package with following flags: $ cat /usr/local/etc/poudriere.d/11_0-RELEASE-options/lang_php56/options # This file is auto-generated by 'make config'. # Options for php56-5.6.29 _OPTIONS_READ=php56-5.6.29 _FILE_COMPLETE_OPTIONS_LIST=CLI CGI FPM EMBED PHPDBG DEBUG DTRACE IPV6 MAILHEAD LINKTHR ZTS OPTIONS_FILE_SET+=CLI OPTIONS_FILE_SET+=CGI OPTIONS_FILE_SET+=FPM OPTIONS_FILE_UNSET+=EMBED OPTIONS_FILE_UNSET+=PHPDBG OPTIONS_FILE_UNSET+=DEBUG OPTIONS_FILE_UNSET+=DTRACE OPTIONS_FILE_SET+=IPV6 OPTIONS_FILE_UNSET+=MAILHEAD OPTIONS_FILE_SET+=LINKTHR OPTIONS_FILE_UNSET+=ZTS
(In reply to packet from comment #11) One thing I forgot to mention: I did not customize the port itself, I especially did not add the dependency from php56-session to php56-hash.
I also doubt it could be this simple, looking at the code in https://github.com/php/php-src/blob/php-5.6.29/ext/session/session.c#L327 The PS_HASH_FUNC_OTHER branch is completely removed from the switch block if hash dynamically loaded.
Thanks for the test. So no module - it must be part of the php core. I will test something myself this week. :)
Just a short sidenote: the ini directive "session.hash_function" was removed in PHP 7.1. So we need a solution for PHP 5.6 and 7.0 only.
(In reply to Mark Felder from comment #6) Are there any rejections to my original proposal here?
I swear I had a review for this, but I guess not. Here's my attempt: https://reviews.freebsd.org/D11141
Expired port removed (problem not relevant for PHP 7.1+ )