PHP 5.4+ UPGRADING wrongly lists $2z$

11 years ago by Solar Designer — view source — reply

unread

Hi,

I just noticed that when we patched the crypt_blowfish signedness bug in
2011, a commit to the UPGRADING file for PHP 5.4+ wrongly listed $2z$ as
a supported prefix. It is not supported.

This:

Fixed crypt_blowfish handling of 8-bit characters. crypt() in Blowfish mode
now supports hashes marked $2a$, $2x$, $2y$ and $2z$.

should be corrected to:

Fixed crypt_blowfish handling of 8-bit characters. crypt() in Blowfish mode
now supports hashes marked $2a$, $2x$, and $2y$.

While at it, can someone please correct the recently added warning at
http://www.php.net/manual/en/function.crypt.php which now reads:

"Using the CRYPT_BLOWFISH algorithm, will result in the str parameter
being truncated to a maximum length of 72 characters. This is only a
concern if are using the same salt to hash strings with this algorithm
that are over 72 bytes in length, as this will result in those hashes
being identical."

to be just:

"Using the CRYPT_BLOWFISH algorithm will result in the str parameter
being truncated to a maximum length of 72 characters."

The statement starting "This is only ..." is wrong.

Thanks,

Alexander

P.S. I am not subscribed to internals, so please CC me on any replies.

11 years ago by Ferenc Kovacs — view source — reply

unread

Hi,

I just noticed that when we patched the crypt_blowfish signedness bug in
2011, a commit to the UPGRADING file for PHP 5.4+ wrongly listed $2z$ as
a supported prefix. It is not supported.

This:

Fixed crypt_blowfish handling of 8-bit characters. crypt() in Blowfish
mode
now supports hashes marked $2a$, $2x$, $2y$ and $2z$.

should be corrected to:

Fixed crypt_blowfish handling of 8-bit characters. crypt() in Blowfish
mode
now supports hashes marked $2a$, $2x$, and $2y$.

fixed, thanks for spotting.

While at it, can someone please correct the recently added warning at
http://www.php.net/manual/en/function.crypt.php which now reads:

"Using the CRYPT_BLOWFISH algorithm, will result in the str parameter
being truncated to a maximum length of 72 characters. This is only a
concern if are using the same salt to hash strings with this algorithm
that are over 72 bytes in length, as this will result in those hashes
being identical."

to be just:

"Using the CRYPT_BLOWFISH algorithm will result in the str parameter
being truncated to a maximum length of 72 characters."

The statement starting "This is only ..." is wrong.

Removed the misleading explanation for
http://www.php.net/manual/en/function.crypt.php and
http://www.php.net/manual/en/function.password-hash.php for now, Sherif:
feel free to put it back if you think you can come up with something which
is both easy to understand but also precise.

--
Ferenc Kovács
@Tyr43l - http://tyrael.hu