History log of /PHP-8.3/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt (Results 1 – 1 of 1)
Revision Date Author Comments
# c840f715 23-Jan-2023 Tim Düsterhus

crypt: Fix validation of malformed BCrypt hashes

PHP’s implementation of crypt_blowfish differs from the upstream Openwall
version by adding a “PHP Hack”, which allows one to cut short t

crypt: Fix validation of malformed BCrypt hashes

PHP’s implementation of crypt_blowfish differs from the upstream Openwall
version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt
by including a `$` character within the characters that represent the salt.

Hashes that are affected by the “PHP Hack” may erroneously validate any
password as valid when used with `password_verify` and when comparing the
return value of `crypt()` against the input.

The PHP Hack exists since the first version of PHP’s own crypt_blowfish
implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5.

No clear reason is given for the PHP Hack’s existence. This commit removes it,
because BCrypt hashes containing a `$` character in their salt are not valid
BCrypt hashes.

show more ...