PHP :: Bug #54721 :: crypt function

Bug #54721

crypt function

Submitted:

2011-05-12 17:50 UTC

Modified:

2011-05-24 15:48 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

os at irj dot ru

Assigned:

pajoye (profile)

Status:

Closed

Package:

*Encryption and hash functions

PHP Version:

5.3.6

OS:

Windows 7 x64

Private report:

CVE-ID:

None

View Developer Edit

[2011-05-12 17:50 UTC] os at irj dot ru

Description:
------------
Win 7 x64
PHP 5.3.6 x86 MSVC9 (Visual C++ 2008) Thread Safety AS Apache 2.2 Module
Apache/2.2.17 x86 NO SSL


Test script:
---------------
<pre>
<?php 
echo crypt("dev", '$1$dW0.is5.$10CH101gGOr1677ZYd517.'); 
?>

Expected result:
----------------
$1$dW0.is5.$10CH101gGOr1677ZYd517.

Actual result:
--------------
FireFox 4:
$1$dW0.is5.$fELOCg/o4M4JSqjT0FAaZ1

IE 9 with meny F5 refresh actual result is
Result 1: $1$dW0.is5.$PAX1vDQNMC0Ag2U3joEb71
Result 2: $1$dW0.is5.$fELOCg/o4M4JSqjT0FAaZ1
in cycle

If I reload apache 2 service hash result are changing to other, etc
FF: $1$dW0.is5.$j9t0S3va.9brcE2kIILGx1
IE: $1$dW0.is5.$d2QAXWA.uqHWaY1KopvYr., $1$dW0.is5.$j9t0S3va.9brcE2kIILGx1

Patches

fix (last revision 2011-05-21 12:56 UTC by os at irj dot ru)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-05-12 18:00 UTC] os at irj dot ru

-Operating System: Windows 7 x86 +Operating System: Windows 7 x64

[2011-05-12 18:00 UTC] os at irj dot ru

Sorry, OS is Windows 7 x64 with 8GB RAM, CPU Core I5 760 (4 cores).

[2011-05-12 18:32 UTC] pajoye@php.net

-Status: Open +Status: Feedback

[2011-05-12 18:32 UTC] pajoye@php.net

The browsers have nothing to do with the server side running code. Please try 
using the CLI interface (cmd line) to confirm the results.

[2011-05-12 18:50 UTC] os at irj dot ru

-Status: Feedback +Status: Open

[2011-05-12 18:50 UTC] os at irj dot ru

In CLI mode crypt function work normaly, but as apache 2 module bug present

CMD Log:

Microsoft Windows [Version 6.1.7601]
(c) Корпорация Майкрософт (Microsoft Corp.), 2009. Все права защищены.

C:\Windows\system32>cd D:\Web\var\avers.localhost

C:\Windows\system32>d:

D:\Web\var\avers.localhost>D:\Web\bin\php\php.exe  D:\Web\var\avers.localhost\te
st.php
<pre>
$1$dW0.is5.$em49ePD07X75OTvpVod410
D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$d2QAXWA.uqHWaY1KopvYr.
D:\Web\var\avers.localhost>..\..\apache22\bin\httpd.exe -k restart
httpd.exe: Could not reliably determine the server's fully qualified domain name
, using 192.168.0.240 for ServerName

D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$PD4o/IBVjS2AVWa1.Rpdi/
D:\Web\var\avers.localhost>

[2011-05-12 18:58 UTC] os at irj dot ru

Sorry, in cli mode bug too (in previos command I use a old CLI php)
This is a correct log

D:\Web\var\avers.localhost>D:\Web\php53\php.exe D:\Web\var\avers.localhost\test.
php
<pre>
$1$dW0.is5.$.O4MUs7rYRmlSuPIA16Jt.
D:\Web\var\avers.localhost>D:\Web\php53\php.exe D:\Web\var\avers.localhost\test.
php
<pre>
$1$dW0.is5.$sVRmxDm7.B8xcTu1HZKf6/
D:\Web\var\avers.localhost>D:\Web\php53\php.exe D:\Web\var\avers.localhost\test.
php
<pre>
$1$dW0.is5.$zI8c4NaU.KzK2y5u.W4Ax.
D:\Web\var\avers.localhost>D:\Web\php53\php.exe -v
PHP 5.3.6 (cli) (built: Mar 17 2011 10:37:07)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies

D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$PD4o/IBVjS2AVWa1.Rpdi/
D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$PD4o/IBVjS2AVWa1.Rpdi/
D:\Web\var\avers.localhost>..\..\apache22\bin\httpd.exe -k restart
httpd.exe: Could not reliably determine the server's fully qualified domain name
, using 192.168.0.240 for ServerName

D:\Web\var\avers.localhost>D:\curl\curl.exe http://avers.localhost/test.php
<pre>
$1$dW0.is5.$.y5yjTLPgypzeHv0FU7zW0
D:\Web\var\avers.localhost>D:\Web\php53\php.exe  D:\Web\var\avers.localhost\test
.php
<pre>
$1$dW0.is5.$m.YjcIs.joLsQHQGZ0bxn/
D:\Web\var\avers.localhost>

[2011-05-13 06:06 UTC] os at irj dot ru

From download page I downloaded VC9 x86 Thread Safe (2011-Mar-22 13:27:32) as ZIP arhive, unzip it and run test script at office using cli interface on Microsoft Windows 7 x86, bug too.

Expected result:
$1$dW0.is5.$em49ePD07X75OTvpVod410

Actual result:
D:\tmp>php test.php
<pre>
$1$dW0.is5.$EkFno5M.sWHzVKG.KcE4g.
D:\tmp>php test.php
<pre>
$1$dW0.is5.$C08LtG..f5qYCBEqaEaeV.
D:\tmp>php test.php
<pre>
$1$dW0.is5.$U.zA4AF2/AvLMpxAdd57x1
D:\tmp>php test.php
<pre>
$1$dW0.is5.$FO6NpJOzWGbHX3Al2BRcU1
D:\tmp>php test.php
<pre>
$1$dW0.is5.$OoBfHS6yulKgQHVDZ8XLx/
D:\tmp>php -v
PHP 5.3.6 (cli) (built: Mar 17 2011 10:37:07)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies

D:\tmp>

[2011-05-13 06:16 UTC] os at irj dot ru

At Windows XP

Expected result:
$1$dW0.is5.$em49ePD07X75OTvpVod410

Actual result:

C:\tmp>php test.php
$1$dW0.is5.$UW7SlpXxFDXZ9zHcYQy.l/
C:\tmp>php test.php
$1$dW0.is5.$RS2jtU/Pp9KpSl.upfU3B.
C:\tmp>php test.php
$1$dW0.is5.$RS2jtU/Pp9KpSl.upfU3B.
C:\tmp>php test.php
$1$dW0.is5.$RS2jtU/Pp9KpSl.upfU3B.
C:\tmp>php test.php
C:\tmp>php -v
PHP 5.3.6 (cli) (built: Mar 17 2011 10:37:07)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies

[2011-05-16 16:20 UTC] tony2001@php.net

-Status: Open +Status: Assigned -Assigned To: +Assigned To: pajoye

[2011-05-16 16:46 UTC] pajoye@php.net

Confirmed. 

Seems to be only happening in the TS API.

[2011-05-16 17:18 UTC] pajoye@php.net

Please note that as this code may or should produce similar results on all 
platforms or builds, it is not correct.

MD5 salt is max. 12 characters as described in the manual and how the extra 
characters are treated are implementation specific.

Use blowfish or other stronger algorithm if you like to use a bigger salt.

[2011-05-21 20:11 UTC] tony2001@php.net

Pierre, could you test the proposed fix, please?
Thanks in advance.

[2011-05-22 18:29 UTC] pajoye@php.net

-Status: Assigned +Status: Feedback

[2011-05-22 18:29 UTC] pajoye@php.net

On FreeBSD I got (which uses system's crypt):

<?php 
echo crypt("dev", '$1$dW0.is5.$10CH101gGOr1677ZYd517.'); 
?>
.ionEGu/npGjI

With the proposed fix, I got on windows (which is what this bug is about):
$1$dW0.is5.$Jay703TqfAIolX2oUKG7u1

Which is not what the initial report says, it expects:

$1$dW0.is5.$10CH101gGOr1677ZYd517.

And using the tests provided privately:


<?php 
echo crypt("", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("b", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("bu", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("bug", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("pass", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("buged", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
echo crypt("aaaaaaaaaaaaaaaaaaaaaaaaa ", '$1$dW0.is5.$10CH101gGOr1677ZYd517.') . "\n";
?>
Windows (with patch):
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$geEFTh1pYyBlKNV7Jd0jJ0
$1$dW0.is5.$J9qpZsnaE3ddwR9CfXJq71
$1$dW0.is5.$5tcolHQsY5Pxr8vn4rzdN/
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0

FreeBSD:
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0

I don't think the patch or the initial report is correct and it somehow confirms my thoughts, len>16 is really implementation specific. Or did I 
miss something?

[2011-05-22 18:40 UTC] felipe@php.net

On Linux (Debian):
$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0

[2011-05-22 19:22 UTC] pajoye@php.net

oh my bad, used the wrong bins. Here are the results with the patch on windows, 
seems to match now:

$1$dW0.is5.$I0iqTYHPzkP4YnRgnXxZW0
$1$dW0.is5.$KaspRpPQ9U7Xb5Vv5c.WE/
$1$dW0.is5.$X9G1x/Ep8zYQSrU4/lKUg.
$1$dW0.is5.$wE5Rz/HxPtDMfqil6kK980
$1$dW0.is5.$2E4/ZDY1vr73HqLl1bLs9.
$1$dW0.is5.$lvGhphTQwqgKxWhWwYERr1
$1$dW0.is5.$XzsWcLSBj2BvhOKH0xdpZ0

[2011-05-24 15:48 UTC] pajoye@php.net

Automatic comment from SVN on behalf of pajoye
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=311390
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size

[2011-05-24 15:48 UTC] pajoye@php.net

-Status: Feedback +Status: Closed

[2011-05-24 15:48 UTC] pajoye@php.net

Fixed in all active branches and trunk.

[2012-04-18 09:50 UTC] laruence@php.net

Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c689dd9d59a98c1c5442002470524bc0955a7a6b
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size

[2012-07-24 23:41 UTC] rasmus@php.net

Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c689dd9d59a98c1c5442002470524bc0955a7a6b
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size

[2013-11-17 09:38 UTC] laruence@php.net

Automatic comment on behalf of pajoye
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c689dd9d59a98c1c5442002470524bc0955a7a6b
Log: - Fix #54721, different Hashes on Windows, BSD and Linux on wrong Salt size

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 05:00:02 2025 UTC