php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62488 Invalid bcrypt hash
Submitted: 2012-07-06 03:06 UTC Modified: 2020-09-18 09:18 UTC
Votes:8
Avg. Score:4.6 ± 0.7
Reproduced:7 of 7 (100.0%)
Same Version:4 (57.1%)
Same OS:2 (28.6%)
From: smt837784 at yahoo dot com Assigned: cmb (profile)
Status: Closed Package: *Encryption and hash functions
PHP Version: 5.3.14 OS: Fedora 16 (3.3.4-1.fc16.x86_64)
Private report: No CVE-ID: None
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
4 + 39 = ?
Subscribe to this entry?

 
 [2012-07-06 03:06 UTC] smt837784 at yahoo dot com
Description:
------------
If the salt is less than 128 bits (22 characters in base 64) it is padded with "$" instead of ".". Which is an invalid bcrypt hash.

Test script:
---------------
echo crypt('', '$2y$04$......................') . '<br>';
echo crypt('', '$2y$04$....') . '<br>';
echo crypt('', '$2y$04$....$$$$$$$$$$$$$$$$$.'); // keep backwards compatibility

Expected result:
----------------
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO

Actual result:
--------------
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-01-21 02:28 UTC] daniel at heath dot cc
Allowing these '$' characters without reporting any errors is confusing; these 
hashes cannot be decoded by any standard-compliant implementation of bcrypt.
 [2020-09-18 09:18 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2020-09-18 09:18 UTC] cmb@php.net
This issue is resolved as of PHP 5.5.0: <https://3v4l.org/u6MPZ>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 11 01:01:27 2024 UTC