From 032f862133dbd2acc04cb75004428d6209f6046b Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Mon, 7 Sep 2020 15:43:26 +0200
Subject: Drop support for crypt() without explicit salt

crypt() without salt generates a weak $1$ MD5 hash. It has been
throwing a notice since 2013 and we provide a much better alternative
in password_hash() (which can auto-generate salts for strong
password hashes), so keeping this is just a liability.
---
 UPGRADING | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'UPGRADING')

diff --git a/UPGRADING b/UPGRADING
index d18bc98eeb..0621d8eade 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -576,6 +576,9 @@ PHP 8.0 UPGRADE NOTES
 
         $ctx = stream_context_create(['http' => ['protocol_version' => '1.0']]);
         echo file_get_contents('http://example.org', false, $ctx);
+  . Calling crypt() without an explicit salt is no longer supported. If you
+    would like to produce a strong hash with an auto-generated salt, use
+    password_hash() instead.
 
 - Sysvmsg:
   . msg_get_queue() will now return an SysvMessageQueue object rather than a
-- 
cgit v1.2.1