Skip to content

Commit 459b4ac

Browse files
bukkaremicollet
bukka
authored and
remicollet
committed
Fix bug GHSA-q6x7-frmf-grcw: password_verify can erroneously return true
Disallow null character in bcrypt password (cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826) (cherry picked from commit 81794c7) (cherry picked from commit 4a7ceb9) (cherry picked from commit 7471009) (cherry picked from commit d22d9eb) (cherry picked from commit cd9a376)
1 parent d8e42d4 commit 459b4ac

File tree

2 files changed

+9
-0
lines changed

2 files changed

+9
-0
lines changed

ext/standard/password.c

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -283,6 +283,11 @@ PHP_FUNCTION(password_hash)
283283
cost = zval_get_long(option_buffer);
284284
}
285285

286+
if (memchr(password, '\0', password_len)) {
287+
php_error_docref(NULL, E_WARNING, "Bcrypt password must not contain null character");
288+
RETURN_NULL();
289+
}
290+
286291
if (cost < 4 || cost > 31) {
287292
php_error_docref(NULL, E_WARNING, "Invalid bcrypt cost parameter specified: " ZEND_LONG_FMT, cost);
288293
RETURN_NULL();

ext/standard/tests/password/password_bcrypt_errors.phpt

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => 123)));
1616

1717
var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => "foo")));
1818

19+
var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
20+
1921
?>
2022
--EXPECTF--
2123
Warning: password_hash(): Invalid bcrypt cost parameter specified: 3 in %s on line %d
@@ -42,4 +44,6 @@ NULL
4244
Warning: password_hash(): Invalid bcrypt cost parameter specified: 0 in %s on line %d
4345
NULL
4446

47+
Warning: password_hash(): Bcrypt password must not contain null character in %s on line %d
48+
NULL
4549

0 commit comments

Comments
 (0)