go to bug id or search bugs for
If crypt() is executed with MD5 salts, the return value conists of the salt only.
DES and BLOWFISH salts work as expected.
I tested with php from openSUSE PHP5 repository
> php -v
PHP 5.3.7RC6-dev (cli)
> rpm -q php5
printf("MD5: %s\n", crypt('password', '$1$U7AjYB.O$'));
Add a Patch
Add a Pull Request
This is confirmed bug in stable release 5.3.7
We have also experienced this problem with the official release of PHP 5.3.7.
stas, could you look at this issue please? It could be related to our latest
Verified for PHP5.3.7
> php -v
PHP 5.3.7 (cli)
> php -r 'printf("%s\n", crypt("password"));'
Note that only the salt is returned.
AFAIK MD5 is the default encryption type.
The big problem is that if an application stores this hashes in a database and uses them for authentication, the problem with this bug is that
$valid = crypt($pw, $crypt);
will always be TRUE regardless of $pw
We do have a serious problem here. I suggest recalling 5.3.7 and go for a 5.3.7pl1
Uhm ok the PHP code wasn't correct but I think you get the point:
If crypt() only stores the salt then crypt($pw, $salt) will return the salt and comparing this to $pw is useless as the salt is a constant regardless of $pw.
Confirming, some very recent update broke it - right now unit tests fail on SVN. I
wonder if nobody run it before release?
Automatic comment from SVN on behalf of stas
Log: Unbreak crypt() (fix bug #55439)
# If you want to remove static analyser messages, be my guest,
# but please run unit tests after
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.
Thanks stas, confirmed fixed in snapshot 201108200030
thanks for fixing this (in my eyes) release critical bug. Are you going to release an official 5.3.7pl1 soon?
I'm not able to deploy a SVN/snapshot release on our webservers. It simply doesn't look good. Our customers rely on stable PHP releases. I would very much appreciate a pl1 release.
Yes, we will release 5.3.7pl1 or 5.3.8
Automatic comment from SVN on behalf of johannes
Log: Merge r315218 - Unbreak crypt() (fix bug #55439) (stas)
I looked at the code changes. strlcat(passwd, "$", 1); was replaced by
strcat(passwd, "$"); In my opinion that is the same behavior as before. Both
functions append the string "$" and add the terminating NUL-Character.
This is my first look into the PHP-repository and this bugtracker ;)
Ok, strlcat() includes the length for the terminating NUL-Byte. So, the bugfix
should be ok.
Automatic comment on behalf of stas
Log: Unbreak crypt() (fix bug #55439) # If you want to remove static analyser messages, be my guest, # but please run unit tests after