Fix bug GHSA-q6x7-frmf-grcw: password_verify can erroneously return true

bukka · remicollet · commit cd9a376c28c6 · 2024-04-10T14:14:17.000+02:00
Disallow null character in bcrypt password (cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826) (cherry picked from commit 81794c7) (cherry picked from commit 4a7ceb9) (cherry picked from commit 7471009) (cherry picked from commit d22d9eb)
diff --git a/ext/standard/password.c b/ext/standard/password.c
@@ -282,6 +282,11 @@ PHP_FUNCTION(password_hash)
 				cost = zval_get_long(option_buffer);
 			}
 
+			if (memchr(password, '\0', password_len)) {
+				php_error_docref(NULL, E_WARNING, "Bcrypt password must not contain null character");
+				RETURN_NULL();
+			}
+
 			if (cost < 4 || cost > 31) {
 				php_error_docref(NULL, E_WARNING, "Invalid bcrypt cost parameter specified: " ZEND_LONG_FMT, cost);
 				RETURN_NULL();
diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
@@ -16,6 +16,8 @@ var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => 123)));
 
 var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => "foo")));
 
+var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
+
 ?>
 --EXPECTF--
 Warning: password_hash(): Invalid bcrypt cost parameter specified: 3 in %s on line %d
@@ -41,3 +43,7 @@ NULL
 
 Warning: password_hash(): Invalid bcrypt cost parameter specified: 0 in %s on line %d
 NULL
+
+Warning: password_hash(): Bcrypt password must not contain null character in %s on line %d
+NULL
+
