Edit report at https://bugs.php.net/bug.php?id=62488&edit=1
ID: 62488
Comment by: daniel at heath dot cc
Reported by: smt837784 at yahoo dot com
Summary: Invalid bcrypt hash
Status: Open
Type: Bug
Package: *Encryption and hash functions
Operating System: Fedora 16 (3.3.4-1.fc16.x86_64)
PHP Version: 5.3.14
Block user comment: N
Private report: N
New Comment:
Allowing these '$' characters without reporting any errors is confusing; these
hashes cannot be decoded by any standard-compliant implementation of bcrypt.
Previous Comments:
------------------------------------------------------------------------
[2012-07-06 03:06:17] smt837784 at yahoo dot com
Description:
------------
If the salt is less than 128 bits (22 characters in base 64) it is padded with
"$" instead of ".". Which is an invalid bcrypt hash.
Test script:
---------------
echo crypt('', '$2y$04$......................') . '<br>';
echo crypt('', '$2y$04$....') . '<br>';
echo crypt('', '$2y$04$....$$$$$$$$$$$$$$$$$.'); // keep backwards compatibility
Expected result:
----------------
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO
Actual result:
--------------
$2y$04$......................w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO
$2y$04$....$$$$$$$$$$$$$$$$$.w74bL5gU7LSJClZClCa.Pkz14aTv/XO
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=62488&edit=1
