php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73058 crypt broken when salt is 'too' long
Submitted: 2016-09-09 13:35 UTC Modified: 2016-09-10 01:18 UTC
From: sjon at hortensius dot net Assigned: ab (profile)
Status: Closed Package: hash related
PHP Version: 7.1.0RC1 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sjon at hortensius dot net
New email:
PHP Version: OS:

 

 [2016-09-09 13:35 UTC] sjon at hortensius dot net 
Description:
------------
$pass = 'secret';
$salt = '$2y$07$usesomesillystringforsalt$';

var_dump(crypt($pass, $salt));

* as demonstrated on https://3v4l.org/kuAJO

Test script:
---------------
* works with shorter salt: https://3v4l.org/O654F
* fails with longer salt: https://3v4l.org/dvgnq (includes CRYPT_SALT_LENGTH)

Expected result:
----------------
string(60) "$2y$07$usesomesillystringforex.u2VJUMLRWaJNuw0Hu2FvCEimdeYVO"

Actual result:
--------------
string(2) "*0"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-09 14:23 UTC] requinix@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: ab
 [2016-09-09 14:23 UTC] requinix@php.net 
Looks like it was caused by the fix for bug #72703.
https://github.com/php/php-src/commit/295303b59059536079caf68b4d76acf2149bd42c
 [2016-09-09 15:22 UTC] cmb@php.net 
Indeed, Damian.

Anatol, with regard to the fix[1]: it seems to me, that it would
suffice to check that the actual salt is not empty, i.e. to do the
following instead:

    if (salt[7] == '$') {
        return NULL;
    }

[1] <https://github.com/php/php-src/commit/295303b5>
 [2016-09-10 01:18 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2016-09-10 01:18 UTC] ab@php.net 
Christoph,

yeah, that's a better approach. I also completely forgot about the hacks with '$' in crypt(). Re-fixed with 669fda00b75a0d361810429e0ef53f6c740b1727.

Thanks.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Oct 25 04:00:01 2025 UTC