createPasswordHash() broken on PHP >= 5.3.7

[gjuric]

PasswordLib::createPasswordHash($password, $prefix = '$2a$')

Uses '$2a$' as a default prefix if none is specified. The factory then cycles through the available implementations and compares the $prefix with $implementation::getPrefix() but Blowfish returns '$2y2' on newer versions of PHP which makes PasswordLib throw a \DomainException('Unsupported Prefix Supplied') Exception.

public static function getPrefix() {
    if (version_compare(PHP_VERSION, '5.3.7') >= 0) {
        return '$2y$';
    } else {
        return '$2a$';
    }
}

[zemiak]

I second that, what's the reason for changing the prefix anyway?

[gjuric]

The reason is explained here -> http://www.php.net/security/crypt_blowfish.php but a workaround should be available in PasswordLib, unfortunately there is still no answer. I am working on a new project currently so it doesn't bother me that much, but if you plan on mixing environments or have old passwords that you have to support this is going to be a problem.

If ircmaxell does not respond soon I will put this at the end of my huge TODO list to work out a solution and submit a patch.