|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2020-06-24 12:04 UTC] nikic@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: nikic
[2020-06-24 12:04 UTC] nikic@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Jun 02 13:01:26 2025 UTC |
Description: ------------ The crypt() method fails bcrypt test vectors given by Openwall's crypt v1.2. Specifically, when given an invalid identifier, crypt() falls back to CRYPT_STD_DES, even though the first two bytes of the salt do not match the documented "./0-9A-Za-z" range for CRYPT_STD_DES. The expected behavior would be to return *0. I've tested this under PHP 5.3.10 on Zend Server on CentOS 5 and Windows 7. Test script: --------------- <?php // Expect *0, returns $2OahnOya9Dwg echo crypt('', '$2`$05$CCCCCCCCCCCCCCCCCCCCC.') . PHP_EOL; // Expect *0, returns $2OahnOya9Dwg echo crypt('', '$2{$05$CCCCCCCCCCCCCCCCCCCCC.') . PHP_EOL; // Expect *1, returns *0Vh7kctua2ww echo crypt('', '*0') . PHP_EOL; Expected result: ---------------- *0 *0 *1 Actual result: -------------- $2OahnOya9Dwg $2OahnOya9Dwg *0Vh7kctua2ww