php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54721 crypt function
Submitted: 2011-05-12 17:50 UTC Modified: 2011-05-24 15:48 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: os at irj dot ru Assigned: pajoye
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.3.6 OS: Windows 7 x64
Private report: No CVE-ID:
 [2011-05-12 17:50 UTC] os at irj dot ru
Description:
------------
Win 7 x64
PHP 5.3.6 x86 MSVC9 (Visual C++ 2008) Thread Safety AS Apache 2.2 Module
Apache/2.2.17 x86 NO SSL


Test script:
---------------
<pre>
<?php 
echo crypt("dev", '$1$dW0.is5.$10CH101gGOr1677ZYd517.'); 
?>

Expected result:
----------------
$1$dW0.is5.$10CH101gGOr1677ZYd517.

Actual result:
--------------
FireFox 4:
$1$dW0.is5.$fELOCg/o4M4JSqjT0FAaZ1

IE 9 with meny F5 refresh actual result is
Result 1: $1$dW0.is5.$PAX1vDQNMC0Ag2U3joEb71
Result 2: $1$dW0.is5.$fELOCg/o4M4JSqjT0FAaZ1
in cycle

If I reload apache 2 service hash result are changing to other, etc
FF: $1$dW0.is5.$j9t0S3va.9brcE2kIILGx1
IE: $1$dW0.is5.$d2QAXWA.uqHWaY1KopvYr., $1$dW0.is5.$j9t0S3va.9brcE2kIILGx1

Patches

fix (last revision 2011-05-21 12:56 UTC) by os at irj dot ru)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-05-12 18:00 UTC] os at irj dot ru
-Operating System: Windows 7 x86 +Operating System: Windows 7 x64
 [2011-05-12 18:00 UTC] os at irj dot ru
Sorry, OS is Windows 7 x64 with 8GB RAM, CPU Core I5 760 (4 cores).
 [2011-05-12 18:32 UTC] pajoye@php.net
-Status: Open +Status: Feedback
 [2011-05-12 18:32 UTC] pajoye@php.net
The browsers have nothing to do with the server side running code. Please try 
using the CLI interface (cmd line) to confirm the results.
 [2011-05-12 18:50 UTC] os at irj dot ru
-Status: Feedback +Status: Open
 [2011-05-12 18:50 UTC] os at irj dot ru
In CLI mode crypt function work normaly, but as apache 2 module bug present

CMD Log:

Microsoft Windows [Version 6.1.7601]
(c) Корпорация Майкрософт (Microsoft Corp.), 2009. Все права защищены.

C:\Windows\system32>cd D:\Web\var\avers.localhost

C:\Windows\system32>d:

D:\Web\var\avers.localhost>D:\Web\bin\php\php.exe  D:\Web\var\avers.localhost\te
st.php
<pre>
$1$dW0.is5.$em49ePD07X75OTvpVod410
D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$d2QAXWA.uqHWaY1KopvYr.
D:\Web\var\avers.localhost>..\..\apache22\bin\httpd.exe -k restart
httpd.exe: Could not reliably determine the server's fully qualified domain name
, using 192.168.0.240 for ServerName

D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$PD4o/IBVjS2AVWa1.Rpdi/
D:\Web\var\avers.localhost>
 [2011-05-12 18:58 UTC] os at irj dot ru
Sorry, in cli mode bug too (in previos command I use a old CLI php)
This is a correct log

D:\Web\var\avers.localhost>D:\Web\php53\php.exe D:\Web\var\avers.localhost\test.
php
<pre>
$1$dW0.is5.$.O4MUs7rYRmlSuPIA16Jt.
D:\Web\var\avers.localhost>D:\Web\php53\php.exe D:\Web\var\avers.localhost\test.
php
<pre>
$1$dW0.is5.$sVRmxDm7.B8xcTu1HZKf6/
D:\Web\var\avers.localhost>D:\Web\php53\php.exe D:\Web\var\avers.localhost\test.
php
<pre>
$1$dW0.is5.$zI8c4NaU.KzK2y5u.W4Ax.
D:\Web\var\avers.localhost>D:\Web\php53\php.exe -v
PHP 5.3.6 (cli) (built: Mar 17 2011 10:37:07)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies

D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$PD4o/IBVjS2AVWa1.Rpdi/
D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$PD4o/IBVjS2AVWa1.Rpdi/
D:\Web\var\avers.localhost>..\..\apache22\bin\httpd.exe -k restart
httpd.exe: Could not reliably determine the server's fully qualified domain name
, using 192.168.0.240 for ServerName

D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$.y5yjTLPgypzeHv0FU7zW0
D:\Web\var\avers.localhost>D:\Web\php53\php.exe  D:\Web\var\avers.localhost\test
.php
<pre>
$1$dW0.is5.$m.YjcIs.joLsQHQGZ0bxn/
D:\Web\var\avers.localhost>
 [2011-05-13 06:06 UTC] os at irj dot ru
From download page I downloaded VC9 x86 Thread Safe (2011-Mar-22 13:27:32) as ZIP arhive, unzip it and run test script at office using cli interface on Microsoft Windows 7 x86, bug too.

Expected result:
$1$dW0.is5.$em49ePD07X75OTvpVod410

Actual result:
D:\tmp>php test.php
<pre>
$1$dW0.is5.$EkFno5M.sWHzVKG.KcE4g.
D:\tmp>php test.php
<pre>
$1$dW0.is5.$C08LtG..f5qYCBEqaEaeV.
D:\tmp>php test.php
<pre>
$1$dW0.is5.$U.zA4AF2/AvLMpxAdd57x1
D:\tmp>php test.php
<pre>
$1$dW0.is5.$FO6NpJOzWGbHX3Al2BRcU1
D:\tmp>php test.php
<pre>
$1$dW0.is5.$OoBfHS6yulKgQHVDZ8XLx/
D:\tmp>php -v
PHP 5.3.6 (cli) (built: Mar 17 2011 10:37:07)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies

D:\tmp>
 [2011-05-13 06:16 UTC] os at irj dot ru
At Windows XP

Expected result:
$1$dW0.is5.$em49ePD07X75OTvpVod410

Actual result:

C:\tmp>php test.php
$1$dW0.is5.$UW7SlpXxFDXZ9zHcYQy.l/
C:\tmp>php test.php
$1$dW0.is5.$RS2jtU/Pp9KpSl.upfU3B.
C:\tmp>php test.php
$1$dW0.is5.$RS2jtU/Pp9KpSl.upfU3B.
C:\tmp>php test.php
$1$dW0.is5.$RS2jtU/Pp9KpSl.upfU3B.
C:\tmp>php test.php
C:\tmp>php -v
PHP 5.3.6 (cli) (built: Mar 17 2011 10:37:07)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
 [2011-05-16 16:20 UTC] tony2001@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye
 [2011-05-16 16:46 UTC] pajoye@php.net
Confirmed. 

Seems to be only happening in the TS API.
 [2011-05-16 17:18 UTC] pajoye@php.net
Please note that as this code may or should produce similar results on all 
platforms or builds, it is not correct.

MD5 salt is max. 12 characters as described in the manual and how the extra 
characters are treated are implementation specific.

Use blowfish or other stronger algorithm if you like to use a bigger salt.
 [2011-05-21 20:11 UTC] tony2001@php.net
Pierre, could you test the proposed fix, please?
Thanks in advance.
 [2011-05-22 18:29 UTC] pajoye@php.net
-Status: Assigned +Status: Feedback
 [2011-05-22 18:29 UTC] pajoye@php.net
On FreeBSD I got (which uses system's crypt):

<?php 
echo crypt("dev", '$1$dW0.is5.$10CH101gGOr1677ZYd517.'); 
?>
.ionEGu/npGjI

With the proposed fix, I got on windows (which is what this bug is about):
$1$dW0.is5.$Jay703TqfAIolX2oUKG7u1

Which is not what the initial report says, it expects:

$1$dW0.is5.$10CH101gGOr1677ZYd517.

And using the tests provided privately:


<?php 
echo crypt("", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("b", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("bu", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("bug", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("pass", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("buged", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("aaaaaaaaaaaaaaaaaaaaaaaaa ", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
?>
Windows (with patch):
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$geEFTh1pYyBlKNV7Jd0jJ0
$1$dW0.is5.$J9qpZsnaE3ddwR9CfXJq71
$1$dW0.is5.$5tcolHQsY5Pxr8vn4rzdN/
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0

FreeBSD:
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0

I don't think the patch or the initial report is correct and it somehow confirms my thoughts, len>16 is really implementation specific. Or did I 
miss something?
 [2011-05-22 18:40 UTC] felipe@php.net
On Linux (Debian):
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0
 [2011-05-22 19:22 UTC] pajoye@php.net
oh my bad, used the wrong bins. Here are the results with the patch on windows, 
seems to match now:

$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0
 [2011-05-24 15:48 UTC] pajoye@php.net
Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311390
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size
 [2011-05-24 15:48 UTC] pajoye@php.net
-Status: Feedback +Status: Closed
 [2011-05-24 15:48 UTC] pajoye@php.net
Fixed in all active branches and trunk.
 [2012-04-18 09:50 UTC] laruence@php.net
Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c689dd9d59a98c1c5442002470524bc0955a7a6b
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size
 [2012-07-24 23:41 UTC] rasmus@php.net
Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c689dd9d59a98c1c5442002470524bc0955a7a6b
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size
 [2013-11-17 09:38 UTC] laruence@php.net
Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c689dd9d59a98c1c5442002470524bc0955a7a6b
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 04:01:55 2014 UTC