Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:69738
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40400 invoked from network); 22 Oct 2013 06:11:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Oct 2013 06:11:19 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.215.42 mail-la0-f42.google.com  
Received: from [209.85.215.42] ([209.85.215.42:52401] helo=mail-la0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id E2/C4-10840-60716625 for <internals@lists.php.net>; Tue, 22 Oct 2013 02:11:18 -0400
Received: by mail-la0-f42.google.com with SMTP id ea20so2419754lab.29
        for <internals@lists.php.net>; Mon, 21 Oct 2013 23:11:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=PDDYn1NqmnhbxpweeKbJw4JFxCUF7qmAHkopF6sGmjg=;
        b=lCmnaAyi2wLLjROAolDSrmuMBwel++MwoyNvzLO10m4ZAi/iYaUatycRj/3LAwDstN
         Xu8Nmbj7AeKYJm9cPULYuk04/tAT91i3pwTZ/1XinIKae/bgsXr+5fXJSWkszmJ0t8zH
         NCXtShi/bgOvkEkT6DzSjWt4MnSRP+jtxlp6kKtDgs1fTsowoxF/uEs7m1neOsbQ/7Hm
         h/dfdg9QBvpHGACNEMfAdSMB9XFBOqIkfr3TGjQjFOemnmkxwIJkUCfg6CSknhni9wEo
         jVXAfCCDolKD9pMVqz9ntjUSgsKm98wx9EIruVBnJJ6y9p14BdyfgnLw0u0dvurpDcpS
         SOvw==
X-Received: by 10.152.22.35 with SMTP id a3mr13408laf.45.1382422275440; Mon,
 21 Oct 2013 23:11:15 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.112.154.201 with HTTP; Mon, 21 Oct 2013 23:10:35 -0700 (PDT)
In-Reply-To: <CAGa2bXYONaoxFBbmDx_vXQCpWSxPfLUsQJDKoQ3OCo1gDTcBwQ@mail.gmail.com>
References: <CAGa2bXaRkv2asU1bAwXTe=9s7o2njsqxG8W8gE9OtcG=8G4qqg@mail.gmail.com>
 <8C33E1D9-8689-4E81-A79B-644CB690DB64@gmail.com> <CAGa2bXbkcn+hN5k=MeeOR3MaOn2kW_M_sKkcwfnOxhng8=gc8Q@mail.gmail.com>
 <CAGa2bXYONaoxFBbmDx_vXQCpWSxPfLUsQJDKoQ3OCo1gDTcBwQ@mail.gmail.com>
Date: Tue, 22 Oct 2013 15:10:35 +0900
X-Google-Sender-Auth: h4GJfe8R_AmOyhHUqz3aCi7XQqs
Message-ID: <CAGa2bXYjLhaPUkDYWH+iRGeQuNvtCEwSYDn74uDNtyKzBWMs3w@mail.gmail.com>
To: Alexey Zakhlestin <indeyets@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e0158b878a845e804e94e44a0
Subject: Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--089e0158b878a845e804e94e44a0
Content-Type: text/plain; charset=UTF-8

Hi all,

Any comments patch for this RFC?
Better E_NOTICE message is welcome.

diff --git a/UPGRADING b/UPGRADING
index b19c3dd..8f5033a 100755
--- a/UPGRADING
+++ b/UPGRADING
@@ -64,6 +64,10 @@ PHP X.Y UPGRADE NOTES
 4. Changed Functions
 ========================================

+- Standard:
+  crypt() without salt parameter raises E_NOTICE.
+  See https://wiki.php.net/rfc/crypt_function_salt
+
 - cURL:
   CURLOPT_SAFE_UPLOAD is now turned on by default and uploads with @file
   do not work unless it is explicitly set to false.
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index 113a5bd..eea6f78 100644
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -272,6 +272,8 @@ PHP_FUNCTION(crypt)

  if (salt_in) {
  memcpy(salt, salt_in, MIN(PHP_MAX_SALT_LEN, salt_in_len));
+ } else {
+ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Weak hashed password is
generated without salt parameter");
  }

  /* The automatic salt generation covers standard DES, md5-crypt and
Blowfish (simple) */


Output:
[yohgaki@dev PHP-master]$ ./php-bin -d error_reporting=-1 -r
"crypt('asdfa');"
Notice: crypt(): Weak hashed password is generated without salt parameter
in Command line code on line 1


--
Yasuo Ohgaki
yohgaki@ohgaki.net


On Mon, Oct 7, 2013 at 5:51 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi all,
>
> Vote period is ended and the result was
>
> 0   Generate strong salt by default
> 12 Generate E_NOTICE error
> 2   Keep current behavior (Use weak hash)
>
> I'll prepare patch for it later.
>
> Thank you.
>
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>
>
> On Wed, Sep 25, 2013 at 1:17 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>
>> Hi Alexey,
>>
>> On Tue, Sep 24, 2013 at 11:22 PM, Alexey Zakhlestin <indeyets@gmail.com>wrote:
>>
>>> strangely, this RFC is not shown in "In voting phase" section here:
>>> https://wiki.php.net/rfc
>>> is that done manually?
>>>
>>
>> I should have done this.
>> Thank you for point it out.
>>
>> Regards,
>>
>> --
>> Yasuo Ohgaki
>> yohgaki@ohgaki.net
>>
>
>

--089e0158b878a845e804e94e44a0--