diff options
author | Anatol Belski <ab@php.net> | 2016-09-10 02:39:28 +0200 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-09-10 02:39:28 +0200 |
commit | 669fda00b75a0d361810429e0ef53f6c740b1727 (patch) | |
tree | e83ecf98218dcac650940c3328a890f125f2658b /ext/standard | |
parent | c42a7f2f3fdac5c71300e52b0f639d771791f20c (diff) | |
download | php-git-669fda00b75a0d361810429e0ef53f6c740b1727.tar.gz |
Bug #73058 crypt broken when salt is 'too' long
Diffstat (limited to 'ext/standard')
-rw-r--r-- | ext/standard/crypt.c | 8 | ||||
-rw-r--r-- | ext/standard/crypt_blowfish.c | 4 | ||||
-rw-r--r-- | ext/standard/tests/strings/bug73058.phpt | 29 |
3 files changed, 33 insertions, 8 deletions
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c index 10f19ff113..1b83d6e127 100644 --- a/ext/standard/crypt.c +++ b/ext/standard/crypt.c @@ -201,14 +201,6 @@ PHPAPI int php_crypt(const char *password, const int pass_len, const char *salt, salt[5] >= '0' && salt[5] <= '9' && salt[6] == '$') { char output[PHP_MAX_SALT_LEN + 1]; - int k = 7; - - while (isalnum(salt[k]) || '.' == salt[k] || '/' == salt[k]) { - k++; - } - if (k != salt_len) { - return FAILURE; - } memset(output, 0, PHP_MAX_SALT_LEN + 1); diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c index 3348d0cd27..5cf306715f 100644 --- a/ext/standard/crypt_blowfish.c +++ b/ext/standard/crypt_blowfish.c @@ -405,6 +405,10 @@ static int BF_decode(BF_word *dst, const char *src, int size) *dptr++ = ((c3 & 0x03) << 6) | c4; } while (dptr < end); + if (end - dptr == size) { + return -1; + } + while (dptr < end) /* PHP hack */ *dptr++ = 0; diff --git a/ext/standard/tests/strings/bug73058.phpt b/ext/standard/tests/strings/bug73058.phpt new file mode 100644 index 0000000000..f099850213 --- /dev/null +++ b/ext/standard/tests/strings/bug73058.phpt @@ -0,0 +1,29 @@ +--TEST-- +Bug #73058 crypt broken when salt is 'too' long +--SKIPIF-- +<?php +if (!function_exists('crypt'))) { + die("SKIP crypt() is not available"); +} +?> +--FILE-- +<?php +$pass = 'secret'; + +$salt = '$2y$07$usesomesillystringforsalt$'; +var_dump(crypt($pass, $salt)); + +$salt = '$2y$07$usesomesillystringforsaltzzzzzzzzzzzzz$'; +var_dump(crypt($pass, $salt)); + +$salt = '$2y$07$usesomesillystringforx'; +var_dump(crypt($pass, $salt)); + +?> +==OK== +--EXPECT-- +string(60) "$2y$07$usesomesillystringforex.u2VJUMLRWaJNuw0Hu2FvCEimdeYVO" +string(60) "$2y$07$usesomesillystringforex.u2VJUMLRWaJNuw0Hu2FvCEimdeYVO" +string(60) "$2y$07$usesomesillystringforuw2Gm1ef7lMsvtzSK2p/14F0q1e8uOCO" +==OK== + |