|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73058 crypt broken when salt is 'too' long
Submitted: 2016-09-09 13:35 UTC Modified: 2016-09-10 01:18 UTC
From: sjon at hortensius dot net Assigned: ab (profile)
Status: Closed Package: hash related
PHP Version: 7.1.0RC1 OS:
Private report: No CVE-ID: None
 [2016-09-09 13:35 UTC] sjon at hortensius dot net
$pass = 'secret';
$salt = '$2y$07$usesomesillystringforsalt$';

var_dump(crypt($pass, $salt));

* as demonstrated on

Test script:
* works with shorter salt:
* fails with longer salt: (includes CRYPT_SALT_LENGTH)

Expected result:
string(60) "$2y$07$usesomesillystringforex.u2VJUMLRWaJNuw0Hu2FvCEimdeYVO"

Actual result:
string(2) "*0"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-09 14:23 UTC]
-Status: Open +Status: Verified -Assigned To: +Assigned To: ab
 [2016-09-09 15:22 UTC]
Indeed, Damian.

Anatol, with regard to the fix[1]: it seems to me, that it would
suffice to check that the actual salt is not empty, i.e. to do the
following instead:

    if (salt[7] == '$') {
        return NULL;

[1] <>
 [2016-09-10 01:18 UTC]
-Status: Verified +Status: Closed
 [2016-09-10 01:18 UTC]

yeah, that's a better approach. I also completely forgot about the hacks with '$' in crypt(). Re-fixed with 669fda00b75a0d361810429e0ef53f6c740b1727.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 17 22:01:28 2024 UTC