php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55439 crypt() returns only the salt for MD5
Submitted: 2011-08-17 13:03 UTC Modified: 2011-08-22 21:28 UTC
Votes:9
Avg. Score:4.6 ± 0.8
Reproduced:8 of 8 (100.0%)
Same Version:2 (25.0%)
Same OS:4 (50.0%)
From: jo at feuersee dot de Assigned: stas (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.3.7RC5 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jo at feuersee dot de
New email:
PHP Version: OS:

 

 [2011-08-17 13:03 UTC] jo at feuersee dot de 
Description:
------------
If crypt() is executed with MD5 salts, the return value conists of the salt only.
DES and BLOWFISH salts work as expected.

I tested with php from openSUSE PHP5 repository

> php -v
PHP 5.3.7RC6-dev (cli)
> rpm -q php5
php5-5.3.6.201108112132-94.1.x86_64

Test script:
---------------
printf("MD5: %s\n", crypt('password', '$1$U7AjYB.O$'));


Expected result:
----------------
MD5: $1$U7AjYB.O$L1N7ux7twaMIMw0En8UUR1

Actual result:
--------------
MD5: $1$U7AjYB.O

Patches

80 (last revision 2011-09-20 04:05 UTC by michaeloses_18 at hotmail dot com)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-08-19 10:12 UTC] noel dot butler at ausics dot net 
This is confirmed bug in stable release 5.3.7
 [2011-08-19 11:03 UTC] tomp at tomp dot co dot uk 
Hi,

We have also experienced this problem with the official release of PHP 5.3.7.
 [2011-08-19 11:15 UTC] pajoye@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: stas
 [2011-08-19 11:15 UTC] pajoye@php.net 
stas, could you look at this issue please? It could be related to our latest 
changes there.
 [2011-08-19 21:16 UTC] jo at feuersee dot de 
Verified for PHP5.3.7 
> php -v
PHP 5.3.7 (cli) 

> php -r 'printf("%s\n", crypt("password"));'
$1$p4uaO1jN

Note that only the salt is returned.

AFAIK MD5 is the default encryption type.

The big problem is that if an application stores this hashes in a database and uses them for authentication, the problem with this bug is that 
$valid = crypt($pw, $crypt);
will always be TRUE regardless of $pw

We do have a serious problem here. I suggest recalling 5.3.7 and go for a 5.3.7pl1
 [2011-08-19 21:32 UTC] jo at feuersee dot de 
Uhm ok the PHP code wasn't correct but I think you get the point:
If crypt() only stores the salt then crypt($pw, $salt) will return the salt and comparing this to $pw is useless as the salt is a constant regardless of $pw.
 [2011-08-19 22:19 UTC] stas@php.net 
Confirming, some very recent update broke it - right now unit tests fail on SVN. I 
wonder if nobody run it before release?
 [2011-08-19 22:49 UTC] stas@php.net 
Automatic comment from SVN on behalf of stas
Revision: http://svn.php.net/viewvc/?view=revision&revision=315218
Log: Unbreak crypt() (fix bug #55439)
# If you want to remove static analyser messages, be my guest,
# but please run unit tests after
 [2011-08-19 22:50 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2011-08-19 22:50 UTC] stas@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

fixed, thanks
 [2011-08-20 01:32 UTC] noel dot butler at ausics dot net 
Thanks stas, confirmed fixed in snapshot 201108200030
 [2011-08-20 08:48 UTC] info at onlime dot ch 
thanks for fixing this (in my eyes) release critical bug. Are you going to release an official 5.3.7pl1 soon?
I'm not able to deploy a SVN/snapshot release on our webservers. It simply doesn't look good. Our customers rely on stable PHP releases. I would very much appreciate a pl1 release.
 [2011-08-20 09:09 UTC] pajoye@php.net 
Yes, we will release 5.3.7pl1 or 5.3.8
 [2011-08-23 08:09 UTC] johannes@php.net 
Automatic comment from SVN on behalf of johannes
Revision: http://svn.php.net/viewvc/?view=revision&revision=315338
Log: Merge r315218 - Unbreak crypt() (fix bug #55439) (stas)
 [2011-08-23 17:45 UTC] christoph_m at gmx dot net 
Hi,
I looked at the code changes. strlcat(passwd, "$", 1); was replaced by 
strcat(passwd, "$"); In my opinion that is the same behavior as before. Both 
functions append the string "$" and add the terminating NUL-Character. 

This is my first look into the PHP-repository and this bugtracker ;)

KR
christoph
 [2011-08-23 18:44 UTC] christoph_m at gmx dot net 
Ok, strlcat() includes the length for the terminating NUL-Byte. So, the bugfix 
should be ok.
 [2012-04-18 09:49 UTC] laruence@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f980905a0bff94807ea07cb897c0e4cd4e6b83f
Log: Unbreak crypt() (fix bug #55439) # If you want to remove static analyser messages, be my guest, # but please run unit tests after
 [2012-07-24 23:40 UTC] rasmus@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f980905a0bff94807ea07cb897c0e4cd4e6b83f
Log: Unbreak crypt() (fix bug #55439) # If you want to remove static analyser messages, be my guest, # but please run unit tests after
 [2013-11-17 09:36 UTC] laruence@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4f980905a0bff94807ea07cb897c0e4cd4e6b83f
Log: Unbreak crypt() (fix bug #55439) # If you want to remove static analyser messages, be my guest, # but please run unit tests after
 [2021-04-27 18:32 UTC] test at test dot cz 
The following pull request has been associated:

Patch Name: Extract functions to classes
On GitHub:  https://github.com/php/web-master/pull/12
Patch:      https://github.com/php/web-master/pull/12.patch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC