diff options
Diffstat (limited to 'source/n/php/CVE-2023-0567.patch')
| -rw-r--r-- | source/n/php/CVE-2023-0567.patch | 142 |
1 files changed, 0 insertions, 142 deletions
diff --git a/source/n/php/CVE-2023-0567.patch b/source/n/php/CVE-2023-0567.patch deleted file mode 100644 index 78defd92b..000000000 --- a/source/n/php/CVE-2023-0567.patch +++ /dev/null @@ -1,142 +0,0 @@ -From 7882d12ff2d8d8c5a4af821464e0a5ac2cde2002 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be> -Date: Mon, 23 Jan 2023 21:15:24 +0100 -Subject: [PATCH] crypt: Fix validation of malformed BCrypt hashes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -PHP’s implementation of crypt_blowfish differs from the upstream Openwall -version by adding a “PHP Hack”, which allows one to cut short the BCrypt salt -by including a `$` character within the characters that represent the salt. - -Hashes that are affected by the “PHP Hack” may erroneously validate any -password as valid when used with `password_verify` and when comparing the -return value of `crypt()` against the input. - -The PHP Hack exists since the first version of PHP’s own crypt_blowfish -implementation that was added in 1e820eca02dcf322b41fd2fe4ed2a6b8309f8ab5. - -No clear reason is given for the PHP Hack’s existence. This commit removes it, -because BCrypt hashes containing a `$` character in their salt are not valid -BCrypt hashes. ---- - ext/standard/crypt_blowfish.c | 8 -- - .../tests/crypt/bcrypt_salt_dollar.phpt | 82 +++++++++++++++++++ - 2 files changed, 82 insertions(+), 8 deletions(-) - create mode 100644 ext/standard/tests/crypt/bcrypt_salt_dollar.phpt - -diff --git a/ext/standard/crypt_blowfish.c b/ext/standard/crypt_blowfish.c -index 3806a290aee4..351d40308089 100644 ---- a/ext/standard/crypt_blowfish.c -+++ b/ext/standard/crypt_blowfish.c -@@ -371,7 +371,6 @@ static const unsigned char BF_atoi64[0x60] = { - #define BF_safe_atoi64(dst, src) \ - { \ - tmp = (unsigned char)(src); \ -- if (tmp == '$') break; /* PHP hack */ \ - if ((unsigned int)(tmp -= 0x20) >= 0x60) return -1; \ - tmp = BF_atoi64[tmp]; \ - if (tmp > 63) return -1; \ -@@ -399,13 +398,6 @@ static int BF_decode(BF_word *dst, const char *src, int size) - *dptr++ = ((c3 & 0x03) << 6) | c4; - } while (dptr < end); - -- if (end - dptr == size) { -- return -1; -- } -- -- while (dptr < end) /* PHP hack */ -- *dptr++ = 0; -- - return 0; - } - -diff --git a/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt -new file mode 100644 -index 000000000000..32e335f4b087 ---- /dev/null -+++ b/ext/standard/tests/crypt/bcrypt_salt_dollar.phpt -@@ -0,0 +1,82 @@ -+--TEST-- -+bcrypt correctly rejects salts containing $ -+--FILE-- -+<?php -+for ($i = 0; $i < 23; $i++) { -+ $salt = '$2y$04$' . str_repeat('0', $i) . '$'; -+ $result = crypt("foo", $salt); -+ var_dump($salt); -+ var_dump($result); -+ var_dump($result === $salt); -+} -+?> -+--EXPECT-- -+string(8) "$2y$04$$" -+string(2) "*0" -+bool(false) -+string(9) "$2y$04$0$" -+string(2) "*0" -+bool(false) -+string(10) "$2y$04$00$" -+string(2) "*0" -+bool(false) -+string(11) "$2y$04$000$" -+string(2) "*0" -+bool(false) -+string(12) "$2y$04$0000$" -+string(2) "*0" -+bool(false) -+string(13) "$2y$04$00000$" -+string(2) "*0" -+bool(false) -+string(14) "$2y$04$000000$" -+string(2) "*0" -+bool(false) -+string(15) "$2y$04$0000000$" -+string(2) "*0" -+bool(false) -+string(16) "$2y$04$00000000$" -+string(2) "*0" -+bool(false) -+string(17) "$2y$04$000000000$" -+string(2) "*0" -+bool(false) -+string(18) "$2y$04$0000000000$" -+string(2) "*0" -+bool(false) -+string(19) "$2y$04$00000000000$" -+string(2) "*0" -+bool(false) -+string(20) "$2y$04$000000000000$" -+string(2) "*0" -+bool(false) -+string(21) "$2y$04$0000000000000$" -+string(2) "*0" -+bool(false) -+string(22) "$2y$04$00000000000000$" -+string(2) "*0" -+bool(false) -+string(23) "$2y$04$000000000000000$" -+string(2) "*0" -+bool(false) -+string(24) "$2y$04$0000000000000000$" -+string(2) "*0" -+bool(false) -+string(25) "$2y$04$00000000000000000$" -+string(2) "*0" -+bool(false) -+string(26) "$2y$04$000000000000000000$" -+string(2) "*0" -+bool(false) -+string(27) "$2y$04$0000000000000000000$" -+string(2) "*0" -+bool(false) -+string(28) "$2y$04$00000000000000000000$" -+string(2) "*0" -+bool(false) -+string(29) "$2y$04$000000000000000000000$" -+string(2) "*0" -+bool(false) -+string(30) "$2y$04$0000000000000000000000$" -+string(60) "$2y$04$000000000000000000000u2a2UpVexIt9k3FMJeAVr3c04F5tcI8K" -+bool(false) |