|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45430 crypt () not thread-safe when crypt_r is not available!
Submitted: 2008-07-04 08:50 UTC Modified: 2008-07-28 12:00 UTC
From: alex at all-dynamics dot de Assigned: pajoye (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.2.6 OS: Win32
Private report: No CVE-ID: None
 [2008-07-04 08:50 UTC] alex at all-dynamics dot de
crypt () seems not to be thread-safe when using a threaded webserver (Windows, ISAPI). Maybe this has something to do with win32/md5crypt.c /  md5_crypt: static char passwd[120] (static buffer which is returned to the calling function).

Reproduce code:
Run this code with two or more simultaneous requests on a threaded server:

set_time_limit (0);

$passwd1 = "testtesttest";
$passwd2 = "passwordpassword";

for ($i = 0; $i < 3000; $i++) {

  $crypted = crypt ($passwd1);
  if ($crypted != crypt ($passwd1, $crypted)) die ("no match");

  $crypted = crypt ($passwd2);
  if ($crypted != crypt ($passwd2, $crypted)) die ("no match");


echo "ok";

Expected result:
"ok" on all requests

Actual result:
one request may end with "no match", the other request will display "ok"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-15 09:19 UTC]
Taking the hand on it for the windows part. As part of the win32 improvement effort, I already wrote a patch to drop our win32's md5_crypt implementation and add support for other algorithms (just like crypt_r + DES).
 [2008-07-17 22:44 UTC]
Here is the patch (windows only):

Will be committed asap.
 [2008-07-19 22:22 UTC]
Patch updated to the latest DES implementation ported to Windows.
Blowfish support added (with salt generation).
 [2008-07-26 18:19 UTC]
Final patch:

It not only fixes windows but it adds blowfish, extended DES, std DES and MD5 to all platforms as soon as one of them is not available or when crypt_r is not present either. Doing so PHP can't be affected anymore by this problem.
 [2008-07-28 12:00 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

Fixed in 5.3 and HEAD (6.x)
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Dec 05 07:04:49 2022 UTC