php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45430 crypt () not thread-safe when crypt_r is not available!
Submitted: 2008-07-04 08:50 UTC Modified: 2008-07-28 12:00 UTC
From: alex at all-dynamics dot de Assigned: pajoye (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.2.6 OS: Win32
Private report: No CVE-ID: None
 [2008-07-04 08:50 UTC] alex at all-dynamics dot de
Description:
------------
crypt () seems not to be thread-safe when using a threaded webserver (Windows, ISAPI). Maybe this has something to do with win32/md5crypt.c /  md5_crypt: static char passwd[120] (static buffer which is returned to the calling function).

Reproduce code:
---------------
Run this code with two or more simultaneous requests on a threaded server:


set_time_limit (0);

$passwd1 = "testtesttest";
$passwd2 = "passwordpassword";

for ($i = 0; $i < 3000; $i++) {

  $crypted = crypt ($passwd1);
  if ($crypted != crypt ($passwd1, $crypted)) die ("no match");

  $crypted = crypt ($passwd2);
  if ($crypted != crypt ($passwd2, $crypted)) die ("no match");

}

echo "ok";


Expected result:
----------------
"ok" on all requests

Actual result:
--------------
one request may end with "no match", the other request will display "ok"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-15 09:19 UTC] pajoye@php.net
Taking the hand on it for the windows part. As part of the win32 improvement effort, I already wrote a patch to drop our win32's md5_crypt implementation and add support for other algorithms (just like crypt_r + DES).
 [2008-07-17 22:44 UTC] pajoye@php.net
Here is the patch (windows only):

http://pierre.libgd.org/patches/crypt_r_win32.patch.txt

Will be committed asap.
 [2008-07-19 22:22 UTC] pajoye@php.net
Patch updated to the latest DES implementation ported to Windows.
Blowfish support added (with salt generation).

http://news.php.net/php.internals.win/94
 [2008-07-26 18:19 UTC] pajoye@php.net
Final patch:

http://pierre.libgd.org/patches/add_crypt_r_blowfish_extdes.txt

It not only fixes windows but it adds blowfish, extended DES, std DES and MD5 to all platforms as soon as one of them is not available or when crypt_r is not present either. Doing so PHP can't be affected anymore by this problem.
 [2008-07-28 12:00 UTC] pajoye@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in 5.3 and HEAD (6.x)
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jun 25 06:01:25 2021 UTC