php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #69230 password_verify should indicate whether it's vulnerable to timing attacks
Submitted: 2015-03-12 15:00 UTC Modified: 2015-06-25 11:30 UTC
From: brian at access9 dot net Assigned: peehaa (profile)
Status: Closed Package: Documentation problem
PHP Version: 5.5.22 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: brian at access9 dot net
New email:
PHP Version: OS:

 

 [2015-03-12 15:00 UTC] brian at access9 dot net 
Description:
------------
---
From manual page: http://www.php.net/function.password-verify
---
The documentation for the hash_verify() function (http://php.net/manual/en/function.hash-equals.php) clearly states that it is a "Timing attack safe string comparison".

The documentation for password_verify() should indicate whether it is or is not vulnerable to timing based attacks.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-14 11:32 UTC] peehaa@php.net
-Assigned To: +Assigned To: peehaa
 [2015-06-25 11:30 UTC] peehaa@php.net
-Status: Assigned +Status: Closed
 [2015-06-25 11:30 UTC] peehaa@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon May 06 09:01:30 2024 UTC