Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:114115
Return-Path: <php@golemon.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35166 invoked from network); 23 Apr 2021 21:51:13 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 23 Apr 2021 21:51:13 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 1BFD41804BD
	for <internals@lists.php.net>; Fri, 23 Apr 2021 14:54:35 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: *
X-Spam-Status: No, score=1.4 required=5.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL autolearn=no
	autolearn_force=no version=3.4.2
X-Spam-Virus: No
X-Envelope-From: <php@golemon.com>
Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Fri, 23 Apr 2021 14:54:34 -0700 (PDT)
Received: by mail-lj1-f172.google.com with SMTP id u20so57217884lja.13
        for <internals@lists.php.net>; Fri, 23 Apr 2021 14:54:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=Wuk8y7XBIs5bIQox5Yd4/OaWg6bvCpXAU9qmXmrH+0g=;
        b=BcqDfiPtPzXYZ2EpQgfBciiStBvJN1TIiFwiXr/ukFinjmPg9d3aJneWO72Hzx7s0m
         vsEFiBLOeLqT58yWTAz3WF7vTrkXneNnZGrHIqqxmjSTrUtqq7bhVevlZPbBPQZOgbJB
         V10hmWQAnu17+xc3GTsBFa7Uhe3EbOHMv8cX7xKgS6g6XzB8gcdlV7LAXx1mD+1ZeZzg
         klCPgAVch4unka8Zszckdb1qmaAl8pRJch3URS6aInQxryUZ4Xk/fGixE2i/YigZDuya
         bKRd4uakFSAZg5Hbv4tG8Bg16VsuFP6CxMQhqFLatLFZ0d+9eH6PlIa+91D4U5N6diNQ
         9RiA==
X-Gm-Message-State: AOAM530zLZ6inmOrFnYZZHj1wg6Gzu22TNy63R1iZ8ka3UoIkcEmKrjI
	TKuktXyTSswEkl0PA4VlOqvMyRfI6w84Modny68K5w==
X-Google-Smtp-Source: ABdhPJzk0Q1gVLIiEBVHJxb8boPr64jLfzkAAoHY3q1UrpoxTjYz+NWaMu52UH0Qq1RgVvtWRUyCL55HWf6QyMShNdk=
X-Received: by 2002:a05:651c:104c:: with SMTP id x12mr3878907ljm.304.1619214871733;
 Fri, 23 Apr 2021 14:54:31 -0700 (PDT)
MIME-Version: 1.0
References: <CAESVnVpCK87GL=+nCvXuT7YS6-QPhF3=8LZSZuAusGFXoT006A@mail.gmail.com>
 <CANUQDCjVfdggrF3wjBCsQ=b_85cq1RhnO_kkVfP3QGubmZhg+g@mail.gmail.com>
 <CAESVnVr+eOWbizGSAnDwu5+q1rQDe+zcd8r+jUDoRMht768WBA@mail.gmail.com>
 <CANUQDCgYhm=32HXa9Msi+UO335a2yk=MYtOL9a5DcpvU6Ct1GA@mail.gmail.com>
 <CAESVnVqefvhTujS117M8o7Bh=gq7wP2cUjV9quZ3fy9ksRN+qQ@mail.gmail.com> <CANUQDCjkize+xznjgZJUAzE+3a24DRnzK50DuA_FL36tetOK9g@mail.gmail.com>
In-Reply-To: <CANUQDCjkize+xznjgZJUAzE+3a24DRnzK50DuA_FL36tetOK9g@mail.gmail.com>
Date: Fri, 23 Apr 2021 16:54:21 -0500
Message-ID: <CAESVnVoYW3_Mq+N3DhAfr0_qe+p2UhkJwAJFiTemfU1VCXOhBg@mail.gmail.com>
To: Niklas Keller <me@kelunik.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000003eb48205c0aad72b"
Subject: Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT
From: pollita@php.net (Sara Golemon)

--0000000000003eb48205c0aad72b
Content-Type: text/plain; charset="UTF-8"

On Fri, Apr 23, 2021 at 2:41 PM Niklas Keller <me@kelunik.com> wrote:

> People might remember the approach incorrectly or have a similar idea
> themselves and make mistakes in their own version of such code.
>
>
While I agree in principle that this is possibly true and a good
justification for adding guard rails, I have to admit that assumptions are
only assumptions, they're not data.  If this pattern is to be used as
evidence of a problem, then citations are required.

-Sara

--0000000000003eb48205c0aad72b--