Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:68400
Return-Path: <ircmaxell@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 73415 invoked from network); 7 Aug 2013 13:50:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 7 Aug 2013 13:50:15 -0000
Authentication-Results: pb1.pair.com header.from=ircmaxell@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ircmaxell@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.178 as permitted sender)
X-PHP-List-Original-Sender: ircmaxell@gmail.com
X-Host-Fingerprint: 209.85.128.178 mail-ve0-f178.google.com  
Received: from [209.85.128.178] ([209.85.128.178:39812] helo=mail-ve0-f178.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A4/E8-06453-69052025 for <internals@lists.php.net>; Wed, 07 Aug 2013 09:50:14 -0400
Received: by mail-ve0-f178.google.com with SMTP id ox1so1821149veb.9
        for <internals@lists.php.net>; Wed, 07 Aug 2013 06:50:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=R4sXEq8jdYUDklSfD2F89vGqFq9FWT/7AOCdPuOi3MY=;
        b=TxY932jUrgP7Bs7RXh9mDJnrTZZqLQx61sHRB8CvhNsw5SFU2r+/KNelujzpmN++Ya
         OphtiTttc5ysDRB7dKoRKeisYLChtmFtwPxtR4kRMjVnaM6ppmIAt/DvkX8HAY/amm8w
         yQ9zdWLjM18DyG9SWqawIcWqZYCPtyXAQGFI5L/sDVbvPxVV59h82NVfPiTSd2dfLeQz
         gkZxYwylvKG4YmN+fsc8nSthLmcw2TaZKbUZywW7TVcDdAoXfMMzYfkQ4xWq4ECUzuYP
         lo9qG5BK3gLshjrMGwUIXbNmAP9oU7Q0Ujp2n7UT9s8LKwezr8EBRSMbpa8kAmCj2IrW
         7bqA==
MIME-Version: 1.0
X-Received: by 10.52.159.33 with SMTP id wz1mr379668vdb.1.1375883411827; Wed,
 07 Aug 2013 06:50:11 -0700 (PDT)
Received: by 10.58.94.201 with HTTP; Wed, 7 Aug 2013 06:50:11 -0700 (PDT)
In-Reply-To: <CAGa2bXZPwU=MNS3gvcsQK6uEfdTsbk8K9OMX7Y4ZUOUFCJy8HA@mail.gmail.com>
References: <CAGa2bXZPwU=MNS3gvcsQK6uEfdTsbk8K9OMX7Y4ZUOUFCJy8HA@mail.gmail.com>
Date: Wed, 7 Aug 2013 09:50:11 -0400
Message-ID: <CAAyV7nEHVwTBTctKDfRV-8GFwdRqAkNivWabGKc1fqnVUJT5mQ@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e016357c403b76804e35bd229
Subject: Re: [PHP-DEV] crypt() should raise error without 2nd parameter
From: ircmaxell@gmail.com (Anthony Ferrara)

--089e016357c403b76804e35bd229
Content-Type: text/plain; charset=ISO-8859-1

Yasuo,

Hi all,
>
> A user requested that crypt() should raise error without 2nd(slat)
> parameter.
>
> https://bugs.php.net/bug.php?id=55036
>
> crypt() without salt generates extremely weak password hash. In addition to
> this,
> PHP 5.5 has password_hash()
>
> This change should be applied from 5.5, IMHO.
>
> Any comments?
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>

Well, first off, a BC break like this should never go into a current
release. So I'd support for master / NEXT only anyway.

I did some digging, and it appears that the python module also does similar
behavior (allowing a null salt). But their behavior is to generate a strong
salt for the strongest algorithm available. So their behavior is actually
useful.

The other implementations that I've looked at would all error or simply
ignore the fact that the salt was empty (as a valid DES salt).

So, keeping with standard practices, I think we should E_DEPRECATE the
usage with only 1 parameter (no salt), and then in NEXT.NEXT change the
zend_parse_parameters definition to require 2 parameters...

My $0.02...

--089e016357c403b76804e35bd229--