Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:69743 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 54970 invoked from network); 22 Oct 2013 07:35:43 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Oct 2013 07:35:43 -0000 Authentication-Results: pb1.pair.com smtp.mail=robin@kingsquare.nl; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=robin@kingsquare.nl; sender-id=unknown Received-SPF: error (pb1.pair.com: domain kingsquare.nl from 141.138.142.202 cause and error) X-PHP-List-Original-Sender: robin@kingsquare.nl X-Host-Fingerprint: 141.138.142.202 spring.kingsquare.nl Linux 2.6 Received: from [141.138.142.202] ([141.138.142.202:52740] helo=spring.kingsquare.nl) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AD/77-10840-DCA26625 for ; Tue, 22 Oct 2013 03:35:42 -0400 X-No-Relay: not in my network Received: from mail-ve0-f171.google.com (mail-ve0-f171.google.com [209.85.128.171]) by spring.kingsquare.nl (Postfix) with ESMTPSA id 10A30E9CA74 for ; Tue, 22 Oct 2013 09:35:37 +0200 (CEST) Received: by mail-ve0-f171.google.com with SMTP id c14so5160594vea.30 for ; Tue, 22 Oct 2013 00:35:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Ddtinldo68k11hkcK85PzktvzspOKMhAfiNpvtZ2wtc=; b=ApDNRJHv1oTJBg475TyPLbuG7BGQMdnHrgD8tkeOmNAlfrXW/faq4lyU8lrtO4HcS4 NEkm/NsNd1E250U6yolqHS3D9DW/ZljnPy3atNKuv7iCIYQuHO9EkpR4dLisvjx5v6E0 s7asdmU3m/uvxUNhZtY+qRAMiP6z/xDh9d9psYNznc6Xhn1fevHFMxRHIWNSKdIjx5uH khZW70PFhQugK0YSrU6JwQ/3/kpAishb45IOGvolDdiK/cuPfFVj0+EUWFKKYVfxykBr KyMBXT/bt59yKJG2nYTxcceM8djz3ogS06uJ1pLmmE7p1+IXl6JoUKs1/xa6jEkiGFct rU5A== X-Received: by 10.220.199.5 with SMTP id eq5mr7290868vcb.16.1382427336785; Tue, 22 Oct 2013 00:35:36 -0700 (PDT) MIME-Version: 1.0 Received: by 10.220.97.200 with HTTP; Tue, 22 Oct 2013 00:35:16 -0700 (PDT) In-Reply-To: <5266280A.7070303@php.net> References: <8C33E1D9-8689-4E81-A79B-644CB690DB64@gmail.com> <5266280A.7070303@php.net> Date: Tue, 22 Oct 2013 09:35:16 +0200 Message-ID: To: Joe Watkins Cc: PHP internals , Yasuo Ohgaki Content-Type: multipart/alternative; boundary=047d7b5db26a56490a04e94f7267 Subject: Re: [PHP-DEV] [VOTE] Change crypt() behavior w/o salt From: robin@kingsquare.nl ("Kingsquare.nl - Robin Speekenbrink") --047d7b5db26a56490a04e94f7267 Content-Type: text/plain; charset=UTF-8 As a non-english speaker i'd like to throw my 2cents into the bag: Notice: crypt(): weak hash generated due to lack of given salt in Command line code on line 1 Regards, Robin Speekenbrink 2013/10/22 Joe Watkins > On 10/22/2013 07:10 AM, Yasuo Ohgaki wrote: > >> Hi all, >> >> Any comments patch for this RFC? >> Better E_NOTICE message is welcome. >> >> diff --git a/UPGRADING b/UPGRADING >> index b19c3dd..8f5033a 100755 >> --- a/UPGRADING >> +++ b/UPGRADING >> @@ -64,6 +64,10 @@ PHP X.Y UPGRADE NOTES >> 4. Changed Functions >> ==============================**========== >> >> +- Standard: >> + crypt() without salt parameter raises E_NOTICE. >> + See https://wiki.php.net/rfc/**crypt_function_salt >> + >> - cURL: >> CURLOPT_SAFE_UPLOAD is now turned on by default and uploads with @file >> do not work unless it is explicitly set to false. >> diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c >> index 113a5bd..eea6f78 100644 >> --- a/ext/standard/crypt.c >> +++ b/ext/standard/crypt.c >> @@ -272,6 +272,8 @@ PHP_FUNCTION(crypt) >> >> if (salt_in) { >> memcpy(salt, salt_in, MIN(PHP_MAX_SALT_LEN, salt_in_len)); >> + } else { >> + php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Weak hashed password is >> generated without salt parameter"); >> } >> >> /* The automatic salt generation covers standard DES, md5-crypt and >> Blowfish (simple) */ >> >> >> Output: >> [yohgaki@dev PHP-master]$ ./php-bin -d error_reporting=-1 -r >> "crypt('asdfa');" >> Notice: crypt(): Weak hashed password is generated without salt parameter >> in Command line code on line 1 >> >> >> -- >> Yasuo Ohgaki >> yohgaki@ohgaki.net >> >> >> On Mon, Oct 7, 2013 at 5:51 PM, Yasuo Ohgaki wrote: >> >> Hi all, >>> >>> Vote period is ended and the result was >>> >>> 0 Generate strong salt by default >>> 12 Generate E_NOTICE error >>> 2 Keep current behavior (Use weak hash) >>> >>> I'll prepare patch for it later. >>> >>> Thank you. >>> >>> >>> -- >>> Yasuo Ohgaki >>> yohgaki@ohgaki.net >>> >>> >>> On Wed, Sep 25, 2013 at 1:17 PM, Yasuo Ohgaki >>> wrote: >>> >>> Hi Alexey, >>>> >>>> On Tue, Sep 24, 2013 at 11:22 PM, Alexey Zakhlestin >>> >wrote: >>>> >>>> strangely, this RFC is not shown in "In voting phase" section here: >>>>> https://wiki.php.net/rfc >>>>> is that done manually? >>>>> >>>>> >>>> I should have done this. >>>> Thank you for point it out. >>>> >>>> Regards, >>>> >>>> -- >>>> Yasuo Ohgaki >>>> yohgaki@ohgaki.net >>>> >>>> >>> >>> >> The wording is not very good/does not make sense: > > Notice: crypt(): weak hash generated without salt in Command line code on > line 1 > > Cheers > Joe > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --047d7b5db26a56490a04e94f7267--