Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1] 2   Go Down

Author Topic: SMF 2.1 bridge  (Read 11783 times)

0 Members and 1 Guest are viewing this topic.

skulls

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
SMF 2.1 bridge
« on: December 19, 2014, 10:43:32 pm »

2.1 is now in beta release.  Sure it's early but what changes must be done to the bridge config to make it work?  2.1 is using bcrypt.   ;)
Logged

skulls

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: SMF 2.1 bridge
« Reply #1 on: December 24, 2014, 06:40:10 am »

Are there plans to create an updated bridge?  It would be preferable to still be able to use Coppermine, though the upgrade has higher priority along with any bridgable gallery.
Logged

Phill Luckhurst

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 4453
    • Windsurf.me
Re: SMF 2.1 bridge
« Reply #2 on: December 24, 2014, 06:44:34 pm »

It's not something that we have looked at yet but I am sure one of the team or someone in the community (hint intended) will look into updating the current bridge.
Logged
It is a mistake to think you can solve any major problems just with potatoes.

pols1337

  • Coppermine frequent poster
  • ***
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 240
Re: SMF 2.1 bridge
« Reply #3 on: December 25, 2014, 01:20:21 am »

Lots of nice things in SMF 2.1
Logged

skulls

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: Re: SMF 2.1 bridge
« Reply #4 on: December 25, 2014, 04:27:02 am »

It's not something that we have looked at yet but I am sure one of the team or someone in the community (hint intended) will look into updating the current bridge.

Awesome!  Thank Phill!


Lots of nice things in SMF 2.1

Indeed!  I'm running it on a small live site.  The users love it!  I have a large forum I'd like to upgrade when the bridge is patched.   8)
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15369
Re: SMF 2.1 bridge
« Reply #5 on: December 26, 2014, 09:42:51 pm »

Probably stupid question, but does the bridge needs to be updated at all? Have you already tested to use the existing bridge?
Logged

skulls

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: Re: SMF 2.1 bridge
« Reply #6 on: December 26, 2014, 10:45:43 pm »

Probably stupid question, but does the bridge needs to be updated at all? Have you already tested to use the existing bridge?

Sure have.  The bridge was working on 2.0.9, then no longer after the 2.1 upgrade.  This is on a small site.  I have larger sites to be upgraded soon.   ;)
Logged

lurkalot

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 824
  • +Tinyportal Support team.
Re: SMF 2.1 bridge
« Reply #7 on: December 26, 2014, 11:26:16 pm »

I'm sure | tried it with 2.1 sometime back and it worked, haven't tried it with the new beta release yet though, but will as soon as I can get Xampp working again, doh.
Logged
Running SMF 2.0.13  / Tinyportal 1.2, bridged with Coppermine 1.5.34, plus cpmfetch 2.0.0

skulls

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: SMF 2.1 bridge
« Reply #8 on: December 27, 2014, 02:24:43 am »

It hasn't been long since the bcrypt changeover.  May 28 to be precise.  If this helps anyone here is the merge:

https://github.com/SimpleMachines/SMF2.1/pull/1674

Logged

lurkalot

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 824
  • +Tinyportal Support team.
Re: SMF 2.1 bridge
« Reply #9 on: December 27, 2014, 10:55:36 am »

It hasn't been long since the bcrypt changeover.  May 28 to be precise.  If this helps anyone here is the merge:

https://github.com/SimpleMachines/SMF2.1/pull/1674

aha, that explains why it no longer works then.  As of now the bridge works in as much as it will log you into SMF 2.1 from Coppermine, but doesn't log you into Coppermine
Logged
Running SMF 2.0.13  / Tinyportal 1.2, bridged with Coppermine 1.5.34, plus cpmfetch 2.0.0

skulls

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: SMF 2.1 bridge
« Reply #10 on: January 13, 2015, 09:51:08 pm »

Any takers on this?   ;D
Logged

skulls

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: SMF 2.1 bridge
« Reply #11 on: January 17, 2015, 05:32:01 am »

Don't everyone jump at once.   ;D  This is the future of SMF if coppermine wishes to stay on board.  ;)
Logged

gmc

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 720
    • GMC Design Photo Gallery
Re: SMF 2.1 bridge
« Reply #12 on: January 18, 2015, 05:12:55 pm »

I am certainly interested in this - as I have a large site/gallery that uses the SMF/CPG bridge..
But remember we are all volunteers - and I know personally I can't jump on this right now...

Don't think we aren't interested - but SMF 2.1 is still 'Alpha' from what I see... This isn't a pressing issue for me just yet.

Greg
Logged
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

lurkalot

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 824
  • +Tinyportal Support team.
Re: Re: SMF 2.1 bridge
« Reply #13 on: January 18, 2015, 06:57:35 pm »

I am certainly interested in this - as I have a large site/gallery that uses the SMF/CPG bridge..
But remember we are all volunteers - and I know personally I can't jump on this right now...

Don't think we aren't interested - but SMF 2.1 is still 'Alpha' from what I see... This isn't a pressing issue for me just yet.

Greg

I'm also going to need this, but I'm told by a reliable source,  it's not going to be a easy task by any means.
Logged
Running SMF 2.0.13  / Tinyportal 1.2, bridged with Coppermine 1.5.34, plus cpmfetch 2.0.0

skulls

  • Coppermine newbie
  • Offline Offline
  • Posts: 9
Re: Re: SMF 2.1 bridge
« Reply #14 on: January 19, 2015, 02:11:51 am »


But remember we are all volunteers

but SMF 2.1 is still 'Alpha' from what I see.

Greg


Indeed.  Not to sound unappreciative, but at least there is life crackling here.    ;)
 

http://www.simplemachines.org/community/index.php?topic=530233.0

It's happening.   ;D


I'm also going to need this, but I'm told by a reliable source,  it's not going to be a easy task by any means.

Then we should get started!  lol

Logged

pols1337

  • Coppermine frequent poster
  • ***
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 240
Re: SMF 2.1 bridge
« Reply #15 on: January 23, 2015, 02:24:57 am »

But if the life does stop crackling, there's always Aeva Media for Wedge or the new Levertine Gallery. 
Logged

lurkalot

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 824
  • +Tinyportal Support team.
Re: SMF 2.1 bridge
« Reply #16 on: January 23, 2015, 07:11:06 pm »

But if the life does stop crackling, there's always Aeva Media for Wedge or the new Levertine Gallery.

But that's nothing to do with Coppermine.  Actually I already use Levertine Gallery.  ;)

In fact the author of Levgal was my reliable source mentioned above.  He should know what he's talking about, as he coded most of SMF 2.1 in the first place. ;)
Logged
Running SMF 2.0.13  / Tinyportal 1.2, bridged with Coppermine 1.5.34, plus cpmfetch 2.0.0

keithsnell1

  • Coppermine newbie
  • Offline Offline
  • Posts: 14
Re: Re: Re: SMF 2.1 bridge
« Reply #17 on: November 19, 2015, 05:44:23 pm »

I'm also going to need this, but I'm told by a reliable source,  it's not going to be a easy task by any means.

Any update on developing a bridge for SMF 2.1?  I'm in the process of updating a large website to SMF 2.0.  The site is currently bridged with Coppermine.  I don't want to continue down a path that is in imminent danger of breaking.  If Coppermine's bridge to SMF will break with SMF 2.1, then I'd rather know that now so I can spend my time implementing another solution. 

So...does anyone know if work is being done on a bridge with SMF 2.1?

Thanks,
Keith
Logged

lurkalot

  • Administrator
  • Coppermine addict
  • *****
  • Country: gb
  • Offline Offline
  • Gender: Male
  • Posts: 824
  • +Tinyportal Support team.
Re: Re: Re: SMF 2.1 bridge
« Reply #18 on: November 19, 2015, 07:43:53 pm »

Any update on developing a bridge for SMF 2.1?  I'm in the process of updating a large website to SMF 2.0.  The site is currently bridged with Coppermine.  I don't want to continue down a path that is in imminent danger of breaking.  If Coppermine's bridge to SMF will break with SMF 2.1, then I'd rather know that now so I can spend my time implementing another solution. 

So...does anyone know if work is being done on a bridge with SMF 2.1?

Thanks,
Keith

Arantor who wrote most of SMF 2.1 was going to help me with this, but unfortunately (for us) he got himself new employment which is taking up most of his time.  Not sure it'll be an easy task (or possible) especially if Coppermine does the password hashing inside the SQL - that won't work in 2.1 because of the new password method which must be done PHP-side.

I also need this bridge.  We already adapted a version of Tinyportal 2 for SMF 2.1 beta 2. http://cctestsite.info/testsite3/  So when SMF 2.1 goes gold I'll want to switch asap.
Logged
Running SMF 2.0.13  / Tinyportal 1.2, bridged with Coppermine 1.5.34, plus cpmfetch 2.0.0

gmc

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 720
    • GMC Design Photo Gallery
Re: SMF 2.1 bridge
« Reply #19 on: November 19, 2015, 09:44:39 pm »

OK... let's hash this out... (pun intended...)
What SMF did appears to be this:
Code: [Select]
Use bcrypt for passwords and SHA-512 for cookies
Shift from sha256(sha1(lower(username) . password)) to password_hash(sha1(lower(username) . password), PASSWORD_BCRYPT) which is a PHP 5.5 implementation of a costly bcrypt based algorithm (added a back porting library as well which makes it compatible till minimum of PHP 5.3.7). This is much slower and more secure than a simple one pass sha256.

Also, the cookies are shifted from sha256(password . salt) to sha512(password . salt) to give them that extra spice of security.
Reference from: https://github.com/Dragooon/SMF2.1/commit/6c5c3b11bab0037d0e1a846912cc0b51c0772b1f

Please correct me if I'm wrong - but I don't think we really care about the password logic change - as we route any login/logout requests directly to SMF... The bridge code in smf20.inc.php does contain a password algorithm specified for 'name of the password field' - but not clear where we would ever use it...
The function "udb_hash_db($password)" is marked 'unused'...
I wouldn't expect the login function from udb_base.inc.php to even be used.

So is the issue the change from sha256 to sha512 for the cookies?
There is a session_extraction() function - but this doesn't even reference sha256 today...
I'd need to dig deeper here - unless someone can point me in right direction.

If I can better understand the issue - certainly willing to help..
(I don't have a 2.1 forum to play with yet - but I can fix that shortly...)

Greg
Logged
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money
Pages: [1] 2   Go Up
 

Page created in 0.025 seconds with 21 queries.