Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:113011 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 71773 invoked from network); 27 Jan 2021 19:11:13 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 27 Jan 2021 19:11:13 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 84C2F1804F6 for ; Wed, 27 Jan 2021 10:53:00 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,PDS_OTHER_BAD_TLD, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Wed, 27 Jan 2021 10:52:59 -0800 (PST) Received: by mail-wr1-f47.google.com with SMTP id 7so3033058wrz.0 for ; Wed, 27 Jan 2021 10:52:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=GwZQIP+7v4l/Mj+08G5oImrT82ut8XdMutQTA/Y/2d0=; b=nVxW3XFbHO6nQIa/QhEsJOS+d0okIOI6/hCud31hqvtU1CpjF4DgdrVGJoNhKwX4ql kXPXcmq/stzB40c4N6yaGX+7UrQWnFM2/iPDTfa887OGlo8O+TntoX1H0JFy9DXvUD1x qSI1Og5XrJsHN/SMskvmwN3p0E8e12ZCQwHJ8WG9rr+kviZkzt/rSOrtACYHmfFkC2/5 u1YN/EQE6lOUf0RXFvJyteiT0UHKEwY0/2iDZ+1N4PKnQc6xzCdokx77VMZ7MhqiGV6Q Z1UavcQEVwwUwtMrDcxCHzW99h/GiK6YhGWjSsTUWildIYyecDti8r1Uo9jYfpCNkGSj +RVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=GwZQIP+7v4l/Mj+08G5oImrT82ut8XdMutQTA/Y/2d0=; b=NJgdA+iZsgI/rGK4o812iy6gT/KCPrqHMSrsQ0zj0ELLOdKp/WH9oMA3HvvOMPmYnZ Ev9J5Ju4aakPDoAzTBq18/fGq4PvN/Fq7Sw8ZyP+EsmXXAeBypS6o9zg0Jon1amxatfh xjjV91Wb0slMq7kbz9IdVH2JKMtqDE9TIeoYVXFX4ha3uPcnp/Qk7TCoq1NFJNj/+hcU IPagXLKmsA7tmDg0mxS8nztHjvc61rRFsFbuahJXoLoYo07icmzpsl8kFmAX0tAq1GI2 vSlP0nf0RGTu2AFRBfHv80b50SkHiRiTNZV2BkuYRMpXT4OtaEgaQMi2Sy+Hb6jjy6i0 d6aw== X-Gm-Message-State: AOAM530uVdijxN9M4XI3yLUxv+LfNQUJn1Y/BJI8V3xMRbQUYh1jCOY2 G8i+HkQkxuVAEQgwiMLitp5kZcKcqgQ= X-Google-Smtp-Source: ABdhPJwhtXpm5dwyqr+3Lr5X2vJRqsgWfl1xsKkM+bWVUpSOlhmFD53DPJjEZHAaA8usW2sWb+TZxA== X-Received: by 2002:adf:decb:: with SMTP id i11mr11028115wrn.78.1611773576468; Wed, 27 Jan 2021 10:52:56 -0800 (PST) Received: from [192.168.0.22] (cpc104104-brig22-2-0-cust548.3-3.cable.virginm.net. [82.10.58.37]) by smtp.googlemail.com with ESMTPSA id d9sm4007963wrq.74.2021.01.27.10.52.55 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Jan 2021 10:52:55 -0800 (PST) To: internals@lists.php.net References: Message-ID: Date: Wed, 27 Jan 2021 18:52:54 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Subject: Re: [PHP-DEV] password_verify() and unknown algos From: rowan.collins@gmail.com (Rowan Tommins) On 27/01/2021 16:26, Benjamin Morel wrote: > Shouldn't it throw an exception, or a least trigger a warning, when the > algorithm is unknown, or the hash is malformed? Returning false IMO, should > mean "I recognize this hash, but it doesn't match your password". "I don't > recognize this hash" is an application issue and should be reported. Relevantly, password_hash() throws a ValueError for an unknown $algo parameter as of 8.0: https://heap.space/xref/php-src/ext/standard/password.c?r=3e01f5af#663 It would probably make sense to throw the same error if php_password_algo_identify doesn't recognise the ident in the hash. Regards, -- Rowan Tommins [IMSoP]