Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69742 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 51453 invoked from network); 22 Oct 2013 07:23:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Oct 2013 07:23:58 -0000 X-Host-Fingerprint: 80.4.21.210 cpc22-asfd3-2-0-cust209.1-2.cable.virginmedia.com Received: from [80.4.21.210] ([80.4.21.210:23447] helo=localhost.localdomain) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7A/B6-10840-C0826625 for ; Tue, 22 Oct 2013 03:23:57 -0400 To: internals@lists.php.net,Yasuo Ohgaki Message-ID: <5266280A.7070303@php.net> Date: Tue, 22 Oct 2013 08:23:54 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130625 Thunderbird/17.0.7 MIME-Version: 1.0 References: <8C33E1D9-8689-4E81-A79B-644CB690DB64@gmail.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Posted-By: 80.4.21.210 Subject: Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt From: krakjoe@php.net (Joe Watkins) On 10/22/2013 07:10 AM, Yasuo Ohgaki wrote: > Hi all, > > Any comments patch for this RFC? > Better E_NOTICE message is welcome. > > diff --git a/UPGRADING b/UPGRADING > index b19c3dd..8f5033a 100755 > --- a/UPGRADING > +++ b/UPGRADING > @@ -64,6 +64,10 @@ PHP X.Y UPGRADE NOTES > 4. Changed Functions > ======================================== > > +- Standard: > + crypt() without salt parameter raises E_NOTICE. > + See https://wiki.php.net/rfc/crypt_function_salt > + > - cURL: > CURLOPT_SAFE_UPLOAD is now turned on by default and uploads with @file > do not work unless it is explicitly set to false. > diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c > index 113a5bd..eea6f78 100644 > --- a/ext/standard/crypt.c > +++ b/ext/standard/crypt.c > @@ -272,6 +272,8 @@ PHP_FUNCTION(crypt) > > if (salt_in) { > memcpy(salt, salt_in, MIN(PHP_MAX_SALT_LEN, salt_in_len)); > + } else { > + php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Weak hashed password is > generated without salt parameter"); > } > > /* The automatic salt generation covers standard DES, md5-crypt and > Blowfish (simple) */ > > > Output: > [yohgaki@dev PHP-master]$ ./php-bin -d error_reporting=-1 -r > "crypt('asdfa');" > Notice: crypt(): Weak hashed password is generated without salt parameter > in Command line code on line 1 > > > -- > Yasuo Ohgaki > yohgaki@ohgaki.net > > > On Mon, Oct 7, 2013 at 5:51 PM, Yasuo Ohgaki wrote: > >> Hi all, >> >> Vote period is ended and the result was >> >> 0 Generate strong salt by default >> 12 Generate E_NOTICE error >> 2 Keep current behavior (Use weak hash) >> >> I'll prepare patch for it later. >> >> Thank you. >> >> >> -- >> Yasuo Ohgaki >> yohgaki@ohgaki.net >> >> >> On Wed, Sep 25, 2013 at 1:17 PM, Yasuo Ohgaki wrote: >> >>> Hi Alexey, >>> >>> On Tue, Sep 24, 2013 at 11:22 PM, Alexey Zakhlestin wrote: >>> >>>> strangely, this RFC is not shown in "In voting phase" section here: >>>> https://wiki.php.net/rfc >>>> is that done manually? >>>> >>> >>> I should have done this. >>> Thank you for point it out. >>> >>> Regards, >>> >>> -- >>> Yasuo Ohgaki >>> yohgaki@ohgaki.net >>> >> >> > The wording is not very good/does not make sense: Notice: crypt(): weak hash generated without salt in Command line code on line 1 Cheers Joe