Hi,
Lorenzo Hernandez Garcia-Hierro wrote:
Hi,
I've started coding the new secuirty library.
Please check out or update your copy of the repository.
The library will be under /security .
Cheers.
PS: I modified also the line 382 ( session hashing function ) in
/include/session.php to use a more complex
hashing method.
Please , refer to the CVS for more information.
I have a few comments regarding your changes:
1) Your change to frontend/php/include/session.php (in
session_set_new()) completely breaks session handling - time()
does not accept parameters. I believe you meant to use gmtime()
here, no?
2) Your use of md5() is confusing. md5() is not a crypt()-like
function. It simply hashes a string - no salt is needed.
Furthermore, the second [boolean] parameter to md5() enables
raw-binary (as apposed to hexadecimal) representation of the MD5
sum (which, in turn, completely changes the function of
session_set_new() and not just the algorithm it uses).
Also, your addition of frontend/php/security/security-lib.php (I'm
talking about the XOR encoding function, here) seems to be aiming more
toward security through obscurity than... well any other purpose.
By using this function you are not only A) telling all search engines
you do not want their business and B) telling visitors without
javascript-enabled browsers you do not want their business either.
You are also making any page that Savane generates non-HTML compliant
for the purpose of "security."
There's also a problem (IMHO) with introducing the body of that function
(_fwk_filter_encrypt) into Savane:
1) I have seen many revisions of that particular function many times
in the last couple of years, on example is sitting beside me in a
PHP book (copyright A-LIST, LLC).
2) A search on Google for "_fwk_filter_encrypt" bears more examples,
each with different copyright owners.
Now, the problem that I have, with this piece of code, is that of
copyright. Either it is copyright by you (OK) or it is not (not OK).
If the former, that's cool, you can license the code under any license
you choose; however, in the latter case you are not the copyright holder
and therefore cannot place the code under the GPL.
I don't mean the above personally. I'm just concerned that code I have
seen before (copyright someone else) is now showing up in Savane minus
that copyright attribution, plus your attribution...
Regards,
Elfyn
--
+------------------------------------------+
| Elfyn McBratney, EMCB | |
| mailto:[EMAIL PROTECTED] | (-: |
| http://www.emcb.co.uk | |
+------------------------------------------+
This penguin is:
Linux london 2.6.3-241-emcb i686 GNU/Linux
