php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73058 crypt broken when salt is 'too' long
Submitted: 2016-09-09 13:35 UTC Modified: 2016-09-10 01:18 UTC
From: sjon at hortensius dot net Assigned: ab (profile)
Status: Closed Package: hash related
PHP Version: 7.1.0RC1 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sjon at hortensius dot net
New email:
PHP Version: OS:

 

 [2016-09-09 13:35 UTC] sjon at hortensius dot net
Description:
------------
$pass = 'secret';
$salt = '$2y$07$usesomesillystringforsalt$';

var_dump(crypt($pass, $salt));

* as demonstrated on https://3v4l.org/kuAJO

Test script:
---------------
* works with shorter salt: https://3v4l.org/O654F
* fails with longer salt: https://3v4l.org/dvgnq (includes CRYPT_SALT_LENGTH)

Expected result:
----------------
string(60) "$2y$07$usesomesillystringforex.u2VJUMLRWaJNuw0Hu2FvCEimdeYVO"

Actual result:
--------------
string(2) "*0"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-09 14:23 UTC] requinix@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: ab
 [2016-09-09 15:22 UTC] cmb@php.net
Indeed, Damian.

Anatol, with regard to the fix[1]: it seems to me, that it would
suffice to check that the actual salt is not empty, i.e. to do the
following instead:

    if (salt[7] == '$') {
        return NULL;
    }

[1] <https://github.com/php/php-src/commit/295303b5>
 [2016-09-10 01:18 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2016-09-10 01:18 UTC] ab@php.net
Christoph,

yeah, that's a better approach. I also completely forgot about the hacks with '$' in crypt(). Re-fixed with 669fda00b75a0d361810429e0ef53f6c740b1727.

Thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 00:01:27 2024 UTC