A word of caution if you are using RHEL6 / CentOS6
This distro still uses (and will continue to use) PHP 5.3.x This version is supported by RHEL and will be until the version goes EOL in about 4 years. It is possible to use a newer version of PHP via the Software Collections, or more esoteric solutions such as the Remi repos, but there may be some who are on contracts, or say for compliance issues, who cannot do so, and some who just plain and simple don’t want to go messing with their nice stable server.
I have just run a test install of phplist 3.3.1 (seems to be double the size of 3.2.7!)
All I saw was a blank page.
After debugging it transpires that the PHP version has been upped, but not consistently.
What is REALLY annoying is there is absolutely no on screen warning about this, nor anything in the logs, so at first you just think you have some standard PHP error.
Wasted a good few hours of my time trying to figure what the issue was when a simple ‘Your version of PHP is not supported’ would have been the polite and professional way to error.
Even worse is you DO get a warning IF you manage to figure out the problem AND login. Completely and utterly pointless if the code won’t run to let you login…
The issue seems to lie in random.php It tries to use the following:
* In order of preference:
* 1. Use libsodium if available.
* 2. fread() /dev/urandom if available (never on Windows)
* 3. mcrypt_create_iv($bytes, MCRYPT_DEV_URANDOM)
* 4. COM('CAPICOM.Utilities.1')->GetRandom() (Windoze only)
* 5. openssl_random_pseudo_bytes() (absolute last resort)
Notes:
-
Can’t find a php libsodium that can be installed on less than PHP 5.4.x
if (extension_loaded(‘libsodium’)) {
// See random_bytes_libsodium.php
if (PHP_VERSION_ID >= 50300 &&
is_callable(’\Sodium\randombytes_buf’))
It appears you cannot get a version of libsodium for the RH supported version of PHP 5.3.3 so actually this check for versions greater than 50300 is pretty pointless. If you do want to look version 1.0.2 would be the one. I’ve tried… but seems every version out there has been pulled. Minimum is 1.0.5 from what I can see and that needs PHP 5.4+
-
/dev/urandom is not usually exposed - not a great idea at the best of times. Could be got round if you have root access and can create a node in the phplist dir. Wouldn’t be available on a lot of cloud installs
-
mcrypt PHP >= 50307 (not sure why this version particularly). You can login if you change this to 050303
-
COM - Windoze only fallback
-
openssl section no longer appears to exist with no explanation?
If all of those fail then we should fall through to this section:
/* We don't have any more options, so let's throw an exception right now
* and hope the developer won't let it fail silently.
*/
function random_bytes($length)
{
throw new Exception(
'There is no suitable CSPRNG installed on your system'
);
The comment is ironic as it does indeed fail silently. No errors. Nothing at all. No idea why.
Note that you can cheat and make PHPList work by changing the required PHP version in the mcrypt section from 50307 to 50303 as noted above. However I am not sure of the ramifications of this.
As far as I can see, apart from the big red irrelevant warning once logged in, stuff seems to function without breaking. However security somewhere is key.
I had a look at other options e.g. https://github.com/paragonie/sodium_compat which is a compatibility layer for libsodium but I had a quick look and could not make it work, but then I am no coder.
Clearly the writing is on the wall and it is time for me to move on. Been a great product to use as I like to be in control of my own data and not leave it at the mercy of some cloudy provider, but all good things come to an end. Shame it is in such a messy fashion.
3.2.7 will be my last version (ironic that you want people to upgrade for supposed security, but many when they can’t will continue to use their ‘unsecure’ version). After that it is so long, and thanks for all the fish.
Rgds
John
CC phplist-developers