archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Remove deprecated DES fallback in crypt()

Browse source
This commit is contained in:
Nikita Popov 2020-06-24 12:55:37 +02:00
parent 8a8c8d4d6a
commit d579b10c84
3 changed files with 11 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

3
UPGRADING
View file

@ -437,6 +437,9 @@ PHP 8.0 UPGRADE NOTES
respect the inherited locale without an explicit setlocale() call. An respect the inherited locale without an explicit setlocale() call. An
explicit setlocale() call is now always required if you wish to change any explicit setlocale() call is now always required if you wish to change any
locale component from the default. locale component from the default.
. Remove deprecated DES fallback in crypt(). If an unknown salt format is
passed to crypt(), the function will fail with *0 instead of falling back
to a weak DES hash now.
- Sysvmsg: - Sysvmsg:
. msg_get_queue() will now return an SysvMessageQueue object rather than a . msg_get_queue() will now return an SysvMessageQueue object rather than a

28
ext/standard/crypt.c
View file

@ -51,9 +51,6 @@
/* Used to check DES salts to ensure that they contain only valid characters */ /* Used to check DES salts to ensure that they contain only valid characters */
#define IS_VALID_SALT_CHARACTER(c) (((c) >= '.' && (c) <= '9') || ((c) >= 'A' && (c) <= 'Z') || ((c) >= 'a' && (c) <= 'z')) #define IS_VALID_SALT_CHARACTER(c) (((c) >= '.' && (c) <= '9') || ((c) >= 'A' && (c) <= 'Z') || ((c) >= 'a' && (c) <= 'z'))
#define DES_INVALID_SALT_ERROR "Supplied salt is not valid for DES. Possible bug in provided salt format."
PHP_MINIT_FUNCTION(crypt) /* {{{ */ PHP_MINIT_FUNCTION(crypt) /* {{{ */
{ {
REGISTER_LONG_CONSTANT("CRYPT_SALT_LENGTH", PHP_MAX_SALT_LEN, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("CRYPT_SALT_LENGTH", PHP_MAX_SALT_LEN, CONST_CS | CONST_PERSISTENT);
@ -163,20 +160,9 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN + 1); ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN + 1);
return result; return result;
} }
} else { } else if (salt[0] == '_'
|| (IS_VALID_SALT_CHARACTER(salt[0]) && IS_VALID_SALT_CHARACTER(salt[1]))) {
/* DES Fallback */ /* DES Fallback */
/* Only check the salt if it's not EXT_DES */
if (salt[0] != '_') {
/* DES style hashes */
if (!IS_VALID_SALT_CHARACTER(salt[0]) || !IS_VALID_SALT_CHARACTER(salt[1])) {
if (!quiet) {
/* error consistently about invalid DES fallbacks */
php_error_docref(NULL, E_DEPRECATED, DES_INVALID_SALT_ERROR);
}
}
}
memset(&buffer, 0, sizeof(buffer)); memset(&buffer, 0, sizeof(buffer));
_crypt_extended_init_r(); _crypt_extended_init_r();
@ -187,17 +173,13 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch
result = zend_string_init(crypt_res, strlen(crypt_res), 0); result = zend_string_init(crypt_res, strlen(crypt_res), 0);
return result; return result;
} }
} else {
/* Unknown hash type */
return NULL;
} }
} }
#else #else
if (salt[0] != '$' && salt[0] != '_' && (!IS_VALID_SALT_CHARACTER(salt[0]) || !IS_VALID_SALT_CHARACTER(salt[1]))) {
if (!quiet) {
/* error consistently about invalid DES fallbacks */
php_error_docref(NULL, E_DEPRECATED, DES_INVALID_SALT_ERROR);
}
}
# if defined(HAVE_CRYPT_R) && (defined(_REENTRANT) || defined(_THREAD_SAFE)) # if defined(HAVE_CRYPT_R) && (defined(_REENTRANT) || defined(_THREAD_SAFE))
{ {
# if defined(CRYPT_R_STRUCT_CRYPT_DATA) # if defined(CRYPT_R_STRUCT_CRYPT_DATA)

9
ext/standard/tests/crypt/des_fallback_invalid_salt.phpt
View file

@ -7,9 +7,6 @@ var_dump(crypt("test", "$#"));
var_dump(crypt("test", "$5zd$01")); var_dump(crypt("test", "$5zd$01"));
?> ?>
--EXPECTF-- --EXPECT--
Deprecated: crypt(): Supplied salt is not valid for DES. Possible bug in provided salt format. in %s on line %d string(2) "*0"
string(13) "$#8MWASl5pGIk" string(2) "*0"
Deprecated: crypt(): Supplied salt is not valid for DES. Possible bug in provided salt format. in %s on line %d
string(13) "$54mkQyGCLvHs"