andi:1468782428 wrote
sayravai:1468596014 wrote
I don't quite see why the Mysql and Postgres Auth plugins need to be replaced
Because they are no longer PHP7 compatible and consist of messy, untested code...
Last week I got exactly this problem when migrating an old Ubuntu 12.04/PHP5 system to a newer 16.04/PHP7.0 one.
To keep things running, I had to remember the good old days and hacked the authmysql to use mysqli-calls only.
Open the database changed a little bit, the other calls needed reordering only. It works for me now.
I know that this hacking surely adds a new security risk to the old ones that's why I will not publish my hack.
But if someone sends me an email with an "i understand no warranties" agreement, I would give it away.
IMO the basic problem here with the new authpdo plugin is:
There are (old & insecure) implementations of "MD5+static salt" encryptions in real applications as mybb or
in my case Moodle before v2.5 (luckily I also upgraded my Moodle to 3.0.5 which uses bcrypt).
Additionally there are a lot of variants out there, see
http://security.stackexchange.com/a/11751 for details.
In all these cases the old authmysql
checkPass() call with forwardClearPass=1 was the ideal - but insecure - solution,
handling MD5 with static salt could be individually done in the SELECT-statement as sayravai stated above.
This is impossible with authpdo in the current state.
If you really want to support this old encryption scheme, you could add 2 conf-settings:
$conf['md5salt'] = 'ABC123...'; // static site wide salt
$conf['md5call'] = 'md5($pass . $md5salt)'; // old Moodle style, sayravai has a different one
and use the second one before comparing if the first one is not empty.
This is just an idea, I don't know if its possible to create a real call
from a string in PHP and if this would fit in your plugin.
If you adopt my idea, I could send you some test data from my old Moodle system
within the next 3 weeks - hopefully the remaining time of my old Hetzner server. ;-)