Fix bug GHSA-q6x7-frmf-grcw: password_verify can erroneously return true

bukka · remicollet · commit d22d9ebb29dc · 2024-04-10T13:42:57.000+02:00
Disallow null character in bcrypt password (cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826) (cherry picked from commit 81794c7) (cherry picked from commit 4a7ceb9) (cherry picked from commit 7471009)
diff --git a/ext/standard/password.c b/ext/standard/password.c
@@ -438,6 +438,11 @@ PHP_FUNCTION(password_hash)
 					cost = zval_get_long(option_buffer);
 				}
 
+				if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
+					php_error_docref(NULL, E_WARNING, "Bcrypt password must not contain null character");
+					RETURN_NULL();
+				}
+
 				if (cost < 4 || cost > 31) {
 					php_error_docref(NULL, E_WARNING, "Invalid bcrypt cost parameter specified: " ZEND_LONG_FMT, cost);
 					RETURN_NULL();
diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
@@ -16,6 +16,8 @@ var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => 123)));
 
 var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => "foo")));
 
+var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
+
 ?>
 --EXPECTF--
 Warning: password_hash(): Invalid bcrypt cost parameter specified: 3 in %s on line %d
@@ -41,3 +43,7 @@ NULL
 
 Warning: password_hash(): Invalid bcrypt cost parameter specified: 0 in %s on line %d
 NULL
+
+Warning: password_hash(): Bcrypt password must not contain null character in %s on line %d
+NULL
+
