Bug #65093 [Com]: password_hash ignores salts with spaces

Sat, 22 Jun 2013 05:36:35 -0700 

Edit report at https://bugs.php.net/bug.php?id=65093&edit=1

 ID:                 65093
 Comment by:         michael at squiloople dot com
 Reported by:        michael at squiloople dot com
 Summary:            password_hash ignores salts with spaces
 Status:             Open
 Type:               Bug
 Package:            hash related
 Operating System:   Windows Vista SP2
 PHP Version:        5.5.0
 Block user comment: N
 Private report:     N

 New Comment:

Would it be worth then having an error or a boolean/null return value rather 
than 
have it "fail" silently? If at any point the allowed characters for the salt 
were 
to extend then past hashes (where a salt was generated by the developer with 
previously invalid characters) would be broken.

If you give the developer the option to provide a value then surely it should 
be 
either accepted or denied rather than just ignored.


Previous Comments:
------------------------------------------------------------------------
[2013-06-22 05:48:33] r...@php.net

I think it's only a documentation problem which should explains which are the 
allowed characters in the salt (from code: a-z A-Z 0-9 . /)

(notice: It is strongly recommended that you do not generate your own salt for 
this function)

------------------------------------------------------------------------
[2013-06-21 22:37:03] michael at squiloople dot com

Description:
------------
When manually setting a salt which contains spaces the function ignores it and 
automatically generates its own.

Test script:
---------------
  echo password_hash('this is a test', PASSWORD_DEFAULT, array('salt' => 
'thisisatestthisisatest'));

  echo '<br>';

  echo password_hash('this is a test', PASSWORD_DEFAULT, array('salt' => 
'thisisatestthisis test'));

Expected result:
----------------
$2y$10$thisisatestthisisateseLNFJ7M2ONUSijVBKli7sVFN6rQm7o36
$2y$10$thisisatestthisis tesOZPioeRNSLNeG3cuJW56OSusfQ5SjKdO

(with the part after the salt being whatever it would be)

Actual result:
--------------
$2y$10$thisisatestthisisateseLNFJ7M2ONUSijVBKli7sVFN6rQm7o36
$2y$10$dGhpc2lzYXRlc3R0aGlzaOZPioeRNSLNeG3cuJW56OSusfQ5SjKdO


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=65093&edit=1

Reply via email to