Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75116 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 1786 invoked from network); 27 Jun 2014 15:02:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Jun 2014 15:02:21 -0000 Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.53 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.216.53 mail-qa0-f53.google.com Received: from [209.85.216.53] ([209.85.216.53:53567] helo=mail-qa0-f53.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 48/EB-11209-B778DA35 for ; Fri, 27 Jun 2014 11:02:20 -0400 Received: by mail-qa0-f53.google.com with SMTP id j15so4089203qaq.40 for ; Fri, 27 Jun 2014 08:02:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=e37b5OHPx+WEef+/RRcwKaqf36lXI7C9suICpW74RCU=; b=iZZtUS37vK7eblLHM4rKUCOY6OPKnN20NcDstCM2ODAz4UyqdVJ55hsfD7Rn1/Ckhl MMTF10Un3wWjyiaSk++9LLbN3MZzPgxZujERDqvvbXe7K3uMcbDfccp/FnHqaVnfCnqs 2zT0lapTurSS/YFnqV1tldcJ7uRZXL4hXxiO8wC2U/W9jtB5SM9xNBX3sKpO8gUAvQuH g1xwu7yu9jIboac5Fc9qmX7U3AEQxFUITEDpVZYEXecfmP9l41RS2G0zdutpuQ3lGA3w qEsiI+TarDG64wDvC7O5V+n1j/XPIzF5CLFiNMhM2f2dIKx57QKP+5ZdkJIvMqggHSsB eS/A== MIME-Version: 1.0 X-Received: by 10.224.114.69 with SMTP id d5mr34418633qaq.96.1403881337109; Fri, 27 Jun 2014 08:02:17 -0700 (PDT) Received: by 10.140.25.36 with HTTP; Fri, 27 Jun 2014 08:02:17 -0700 (PDT) In-Reply-To: <20140627050910.GA27102@openwall.com> References: <20140627050910.GA27102@openwall.com> Date: Fri, 27 Jun 2014 17:02:17 +0200 Message-ID: To: Solar Designer Cc: PHP internals , Sherif Ramadan Content-Type: multipart/alternative; boundary=047d7bdc8ac467c5df04fcd29894 Subject: Re: [PHP-DEV] PHP 5.4+ UPGRADING wrongly lists $2z$ From: tyra3l@gmail.com (Ferenc Kovacs) --047d7bdc8ac467c5df04fcd29894 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Fri, Jun 27, 2014 at 7:09 AM, Solar Designer wrote: > Hi, > > I just noticed that when we patched the crypt_blowfish signedness bug in > 2011, a commit to the UPGRADING file for PHP 5.4+ wrongly listed $2z$ as > a supported prefix. It is not supported. > > This: > > - Fixed crypt_blowfish handling of 8-bit characters. crypt() in Blowfish > mode > now supports hashes marked $2a$, $2x$, $2y$ and $2z$. > > should be corrected to: > > - Fixed crypt_blowfish handling of 8-bit characters. crypt() in Blowfish > mode > now supports hashes marked $2a$, $2x$, and $2y$. > fixed, thanks for spotting. > > While at it, can someone please correct the recently added warning at > http://www.php.net/manual/en/function.crypt.php which now reads: > > "Using the CRYPT_BLOWFISH algorithm, will result in the str parameter > being truncated to a maximum length of 72 characters. This is only a > concern if are using the same salt to hash strings with this algorithm > that are over 72 bytes in length, as this will result in those hashes > being identical." > > to be just: > > "Using the CRYPT_BLOWFISH algorithm will result in the str parameter > being truncated to a maximum length of 72 characters." > > The statement starting "This is only ..." is wrong. > > Removed the misleading explanation for http://www.php.net/manual/en/function.crypt.php and http://www.php.net/manual/en/function.password-hash.php for now, Sherif: feel free to put it back if you think you can come up with something which is both easy to understand but also precise. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --047d7bdc8ac467c5df04fcd29894--