diff options
| -rw-r--r-- | UPGRADING | 3 | ||||
| -rw-r--r-- | ext/standard/crypt.c | 28 | ||||
| -rw-r--r-- | ext/standard/tests/crypt/des_fallback_invalid_salt.phpt | 9 |
3 files changed, 11 insertions, 29 deletions
@@ -437,6 +437,9 @@ PHP 8.0 UPGRADE NOTES respect the inherited locale without an explicit setlocale() call. An explicit setlocale() call is now always required if you wish to change any locale component from the default. + . Remove deprecated DES fallback in crypt(). If an unknown salt format is + passed to crypt(), the function will fail with *0 instead of falling back + to a weak DES hash now. - Sysvmsg: . msg_get_queue() will now return an SysvMessageQueue object rather than a diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index 7adfbe5862..6188dc2920 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -51,9 +51,6 @@ /* Used to check DES salts to ensure that they contain only valid characters */ #define IS_VALID_SALT_CHARACTER(c) (((c) >= '.' && (c) <= '9') || ((c) >= 'A' && (c) <= 'Z') || ((c) >= 'a' && (c) <= 'z')) -#define DES_INVALID_SALT_ERROR "Supplied salt is not valid for DES. Possible bug in provided salt format." - - PHP_MINIT_FUNCTION(crypt) /* {{{ */ { REGISTER_LONG_CONSTANT("CRYPT_SALT_LENGTH", PHP_MAX_SALT_LEN, CONST_CS | CONST_PERSISTENT); @@ -163,20 +160,9 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch ZEND_SECURE_ZERO(output, PHP_MAX_SALT_LEN + 1); return result; } - } else { + } else if (salt[0] == '_' + || (IS_VALID_SALT_CHARACTER(salt[0]) && IS_VALID_SALT_CHARACTER(salt[1]))) { /* DES Fallback */ - - /* Only check the salt if it's not EXT_DES */ - if (salt[0] != '_') { - /* DES style hashes */ - if (!IS_VALID_SALT_CHARACTER(salt[0]) || !IS_VALID_SALT_CHARACTER(salt[1])) { - if (!quiet) { - /* error consistently about invalid DES fallbacks */ - php_error_docref(NULL, E_DEPRECATED, DES_INVALID_SALT_ERROR); - } - } - } - memset(&buffer, 0, sizeof(buffer)); _crypt_extended_init_r(); @@ -187,17 +173,13 @@ PHPAPI zend_string *php_crypt(const char *password, const int pass_len, const ch result = zend_string_init(crypt_res, strlen(crypt_res), 0); return result; } + } else { + /* Unknown hash type */ + return NULL; } } #else - if (salt[0] != '$' && salt[0] != '_' && (!IS_VALID_SALT_CHARACTER(salt[0]) || !IS_VALID_SALT_CHARACTER(salt[1]))) { - if (!quiet) { - /* error consistently about invalid DES fallbacks */ - php_error_docref(NULL, E_DEPRECATED, DES_INVALID_SALT_ERROR); - } - } - # if defined(HAVE_CRYPT_R) && (defined(_REENTRANT) || defined(_THREAD_SAFE)) { # if defined(CRYPT_R_STRUCT_CRYPT_DATA) diff --git a/ext/standard/tests/crypt/des_fallback_invalid_salt.phpt b/ext/standard/tests/crypt/des_fallback_invalid_salt.phpt index a6a7368081..b0797657d8 100644 --- a/ext/standard/tests/crypt/des_fallback_invalid_salt.phpt +++ b/ext/standard/tests/crypt/des_fallback_invalid_salt.phpt @@ -7,9 +7,6 @@ var_dump(crypt("test", "$#")); var_dump(crypt("test", "$5zd$01")); ?> ---EXPECTF-- -Deprecated: crypt(): Supplied salt is not valid for DES. Possible bug in provided salt format. in %s on line %d -string(13) "$#8MWASl5pGIk" - -Deprecated: crypt(): Supplied salt is not valid for DES. Possible bug in provided salt format. in %s on line %d -string(13) "$54mkQyGCLvHs" +--EXPECT-- +string(2) "*0" +string(2) "*0" |