From 390441d3b939b4b4818a819c7eb58515c3c5da30 Mon Sep 17 00:00:00 2001
From: mark_story <mark@mark-story.com>
Date: Mon, 26 May 2014 23:20:12 -0400
Subject: [PATCH] Accept older blowfish hashes.

Both `2a` and `2x` are valid types of blowfish hashes, that while being
older should be accepted.

Backport 00c94bd582b83f8b92228b750aea0e8816a4ea89 from 3.x to 2.5.x,
I see this as a bug fix as it fixes incompatibilities with hashes
created by hash_password().

Refs #3575
---
 lib/Cake/Utility/Security.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/Cake/Utility/Security.php b/lib/Cake/Utility/Security.php
index d9185b466..86f93506e 100644
--- a/lib/Cake/Utility/Security.php
+++ b/lib/Cake/Utility/Security.php
@@ -277,7 +277,12 @@ class Security {
 			$salt = vsprintf('$2a$%02d$%s', array(self::$hashCost, $salt));
 		}
 
-		if ($salt === true || strpos($salt, '$2a$') !== 0 || strlen($salt) < 29) {
+		$invalidCipher = (
+			strpos($salt, '$2y$') !== 0 &&
+			strpos($salt, '$2x$') !== 0 &&
+			strpos($salt, '$2a$') !== 0
+		);
+		if ($salt === true || $invalidCipher || strlen($salt) < 29) {
 			trigger_error(__d(
 				'cake_dev',
 				'Invalid salt: %s for %s Please visit http://www.php.net/crypt and read the appropriate section for building %s salts.',