php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67653 PASSWORD_BCRYPT truncates password longer than 72 bytes silently
Submitted: 2014-07-19 01:58 UTC Modified: 2020-12-23 17:05 UTC
Votes:4
Avg. Score:3.0 ± 2.0
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (66.7%)
From: yohgaki at ohgaki dot net Assigned:
Status: Open Package: *Encryption and hash functions
PHP Version: 5.5 OS: Irrelevant
Private report: No CVE-ID: None
 [2014-07-19 01:58 UTC] yohgaki at ohgaki dot net
Description:
------------
PASSWORD_BCRYPT truncates password longer than 72 bytes silently 


Test script:
---------------
[yohgaki@dev tmp]$ php -r 'var_dump(password_verify("123456789012345678901234567890123456789012345678901234567890123456789012", password_hash("12345678901234567890123456789012345678901234567890123456789012345678901234567890", PASSWORD_DEFAULT)));'
bool(true)
[yohgaki@dev tmp]$ php -r 'var_dump(password_verify("12345678901234567890123456789012345678901234567890123456789012345678901", password_hash("12345678901234567890123456789012345678901234567890123456789012345678901234567890", PASSWORD_DEFAULT)));'
bool(false)

Expected result:
----------------
password_hash() should raise E_NOTICE when password is too long for it.

Actual result:
--------------
Silently ignores bytes larger than 72. 

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-19 02:00 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2014-07-19 02:05 UTC] yohgaki@php.net
-PHP Version: Irrelevant +PHP Version: 5.5
 [2017-10-24 08:13 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: yohgaki +Assigned To:
 [2020-12-23 17:05 UTC] cmb@php.net
-Type: Bug +Type: Feature/Change Request -Package: hash related +Package: *Encryption and hash functions
 [2020-12-23 17:05 UTC] cmb@php.net
Known issue; changing to feature request.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 14:01:29 2024 UTC