php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62488 Invalid bcrypt hash
Submitted: 2012-07-06 03:06 UTC Modified: 2020-09-18 09:18 UTC
Votes:8
Avg. Score:4.6 ± 0.7
Reproduced:7 of 7 (100.0%)
Same Version:4 (57.1%)
Same OS:2 (28.6%)
From: smt837784 at yahoo dot com Assigned: cmb (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.3.14 OS: Fedora 16 (3.3.4-1.fc16.x86_64)
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: smt837784 at yahoo dot com
New email:
PHP Version: OS:

 

 [2012-07-06 03:06 UTC] smt837784 at yahoo dot com 
Description:
------------
If the salt is less than 128 bits (22 characters in base 64) it is padded with "$" instead of ".". Which is an invalid bcrypt hash.

Test script:
---------------
echo crypt('', '$2y$04$......................') . '<br>';
echo crypt('', '$2y$04$....') . '<br>';
echo crypt('', '$2y$04$....$$$$$$$$$$$$$$$$$.'); // keep backwards compatibility

Expected result:
----------------
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO

Actual result:
--------------
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-01-21 02:28 UTC] daniel at heath dot cc 
Allowing these '$' characters without reporting any errors is confusing; these 
hashes cannot be decoded by any standard-compliant implementation of bcrypt.
 [2020-09-18 09:18 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-09-18 09:18 UTC] cmb@php.net 
This issue is resolved as of PHP 5.5.0: <https://3v4l.org/u6MPZ>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 18:01:31 2024 UTC