History log of /PHP-8.2/ext/standard/password.c (Results 1 – 25 of 151)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# bf9929a2 31-Aug-2024 Go Kudo

standard: supress msan (#15665)
# 0ba5229a 29-Mar-2024 Jakub Zelenka

Fix bug GHSA-q6x7-frmf-grcw: password_verify can erroneously return true

Disallow null character in bcrypt password
# 20c49f85 12-Feb-2024 haszi

Move PASSWORD constants to stubs (#13349)
# 97b3b455 01-Feb-2024 Tim Düsterhus

random: Move CSPRNG API into php_random_csprng.h (#13290)

This allows consumers of just the CSPRNG to include a much smaller header. It
also allows to verify at a glance whether a source

random: Move CSPRNG API into php_random_csprng.h (#13290)

This allows consumers of just the CSPRNG to include a much smaller header. It
also allows to verify at a glance whether a source file might use non-secure
randomness.

This commit includes the new header wherever the CSPRNG is used, possibly
replacing the inclusion of php_random.h if nothing else is used, but also
includes it in the main php_random.h header for compatibility.

Somewhat related to 45f8cfaf104f504340b0073b9736bb50a88d70a1,
2b30f18708b4f73d2c1d29d3a92a606ebdc5ac4c, and
b14dd85dca3b67a5462f5ed9b6aa0dc22beb615c.

show more ...


# a145b40f 20-Jul-2023 Ilija Tovilo

Fix uouv in password_needs_rehash() and password_hash()
# 9d5f2f13 20-Mar-2023 Ilija Tovilo

Use new ZSTR_INIT_LITERAL macro (#10879)
# c59e0750 23-Jan-2023 Tim Düsterhus

password: Use `php_random_bytes_throw` in `php_password_make_salt` (#10393)

The CSPRNG failing should be rare nowadays, but it *might* happen and without
this patch it's hard for the use

password: Use `php_random_bytes_throw` in `php_password_make_salt` (#10393)

The CSPRNG failing should be rare nowadays, but it *might* happen and without
this patch it's hard for the user to find out why the salt generation failed:
The error message is not actionable.

This patch will automatically set the CSPRNG exception to the `$previous`
exception of the ValueError that is thrown, allowing the developer to determine
the cause of the salt generation failure.

Before:

Fatal error: Uncaught ValueError: Unable to generate salt in php-src/test3.php:3
Stack trace:
#0 php-src/test3.php(3): password_hash(Object(SensitiveParameterValue), '2y')
#1 {main}
thrown in php-src/test3.php on line 3

After:

Fatal error: Uncaught Random\RandomException: Cannot open /dev/urandom: No such file or directory in php-src/test3.php:3
Stack trace:
#0 php-src/test3.php(3): password_hash(Object(SensitiveParameterValue), '2y')
#1 {main}

Next ValueError: Unable to generate salt in php-src/test3.php:3
Stack trace:
#0 php-src/test3.php(3): password_hash(Object(SensitiveParameterValue), '2y')
#1 {main}
thrown in php-src/test3.php on line 3

show more ...


# 77ee92a5 28-Nov-2022 Jorg Adam Sowa

Remove unnecessary usage of CONST_CS

Closes GH-9685.
# 4d8dd8d2 19-Jul-2022 Go Kudo

Implement Random Extension

https://wiki.php.net/rfc/rng_extension
https://wiki.php.net/rfc/random_extension_improvement
Revision tags: php-7.3.13RC1, php-7.2.26RC1, php-7.4.0, php-7.2.25, php-7.3.12, php-7.4.0RC6, php-7.3.12RC1, php-7.2.25RC1, php-7.4.0RC5, php-7.1.33, php-7.2.24, php-7.3.11, php-7.4.0RC4, php-7.3.11RC1, php-7.2.24RC1, php-7.4.0RC3, php-7.2.23, php-7.3.10
# bfe6f9e6 20-Sep-2019 David Carlier

Introduction of timing attack safe bcmp implementation.

Nothing new but to refactor usage b/w hash and password
extensions but using volatile pointers to be a bit safer,
allowing to

Introduction of timing attack safe bcmp implementation.

Nothing new but to refactor usage b/w hash and password
extensions but using volatile pointers to be a bit safer,
allowing to expand its usage eventually.

show more ...


# 5171cb43 20-May-2020 George Peter Banyard

Fix [-Wundef] warnings in standard extension
# 90b7bde6 03-Nov-2021 Dmitry Stogov

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[i]
instead of ht->arData[i]
- in addition to general ZEND_HASH_FOREACH_* macros, we introduced similar
familied for packed (ZEND_HASH_PACKED_FORECH_*) and real hashes
(ZEND_HASH_MAP_FOREACH_*)
- introduced an additional family of macros to access elements of array
(packed or real hashes) ZEND_ARRAY_ELEMET_SIZE, ZEND_ARRAY_ELEMET_EX,
ZEND_ARRAY_ELEMET, ZEND_ARRAY_NEXT_ELEMENT, ZEND_ARRAY_PREV_ELEMENT
- zend_hash_minmax() prototype was changed to compare only values

Because of smaller data set, this patch may show performance improvement
on some apps and benchmarks that use packed arrays. (~1% on PHP-Parser)

TODO:
- sapi/phpdbg needs special support for packed arrays (WATCH_ON_BUCKET).
- zend_hash_sort_ex() may require converting packed arrays to hash.

show more ...


# b0d4d6eb 20-Jul-2021 Nikita Popov

Create persistent interned string for password algos

These strings are returned to userland by password_algos(),
which violates thread-safety invariants. Create persistent
interned s

Create persistent interned string for password algos

These strings are returned to userland by password_algos(),
which violates thread-safety invariants. Create persistent
interned strings for them instead.

show more ...


# 01b3fc03 06-May-2021 KsaR

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier".
3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted.
4. fixed indentation in some files before |

show more ...


# cec5e308 11-Feb-2021 Nikita Popov

Don't return null from password_get_info()

The get_info() handler should never fail, but even if it does,
we should still return a proper info array -- it doesn't make
sense that a c

Don't return null from password_get_info()

The get_info() handler should never fail, but even if it does,
we should still return a proper info array -- it doesn't make
sense that a completely incorrect hash returns an info array,
but a hash that is recognized but for which the options can't
be extracted would return null.

show more ...


# 3e01f5af 15-Jan-2021 Nikita Popov

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool is retained as an alias.

show more ...


# c37a1cd6 10-Sep-2020 Máté Kocsis

Promote a few remaining errors in ext/standard

Closes GH-6110
# 8107a1da 04-Sep-2020 Máté Kocsis

Use ZPP instead of custom type checks

We can add these types as a native type declaration to stubs as a side-effect. Closes GH-6068
# 1b2ec73c 26-Aug-2020 George Peter Banyard

Drop various unused macros/APIs

Also convert_libmagic_pattern() to return a zend_string*

Closes GH-6029
# 2b5de6f8 01-Jul-2020 Max Semenik

Remove proto comments from C files

Closes GH-5758
# 1b85e749 06-Jun-2020 twosee

Fix warning of strict-prototypes

Closes GH-5673.
# bb6f3740 24-Feb-2020 Máté Kocsis

Improve argument error messages in ext/standard

Closes GH-5198
# ea1b8788 22-Jan-2020 Máté Kocsis

Fix #78969 Make PASSWORD_DEFAULT match PASSWORD_BCRYPT instead of being null

It was an unintentional BC break.
# 31cf9a7e 29-Dec-2019 Máté Kocsis

Use RETURN_THROWS() when an exception is thrown

Closes GH-5036
# 37c11714 20-Nov-2019 Máté Kocsis

Promote warnings to exceptions in password_*() functions

1234567