New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bcrypt password must not contain null character #1311
Comments
Ditto. [2024-04-19T14:29:30.596724+00:00] movim.ERROR: Bcrypt password must not contain null character Ubuntu 22.04.4 LTS My instance was running fine until I upgraded my php and did a machine reboot. There are other users within the Movim MUC that are having the issue as well. |
I have the same Bcrypt error message at login Running Debian 12 Stable with nginx, postgres and PHP current versions. |
Seems to be the change: https://fossies.org/diffs/php/8.2.17_vs_8.2.18/ext/standard/password.c-diff.html I am still on 8.2.17 on Fedora 38 and the issue is not happening (yet). |
I have the same Bcrypt error message at login. Manually downgraded php version does not fix errors. Movim: v0.22.5 |
Note: this does *not* fix the `bcrypt` issue with Nixpkgs’s PHP being ahead of what Movim’s maintainers are using currently movim/movim#1311
Note: this does *not* fix the `bcrypt` issue with Nixpkgs’s PHP being ahead of what Movim’s maintainers are using currently movim/movim#1311
In public static function hashSession(string $username, string $password, string $host): string
{
return $username . "\0" . $password . "\0" . $host;
} Frankly, this should have been a 0.24 blocker 👀 |
👍 |
I am not that familiar with php. Is there an issue with reverting 69c2280 ? |
Please do not try this in a production environment.Movim upgraded to 0.24 and the same Bcrypt error message is still seen at login.
Finally, the bcrypt error message was not seen again. Login behavior returns to normal. I don't know if it increases the security risk. It works for me. When we upgrade PHP to 8.2.18, PHP no longer allows us to use "\0" for the session hash. I don't know why the '|' was replaced. Isn't that a '|' confusing? The user can set the $password , $password might have a "|" , so we don't use '|' ? What is the function of the "|" symbol? Is it just a separator? If the character is just to make the code easier to read, we can use other characters. Why did edhelas choose "\0" instead of other characters in 69c2280 ? Can someone teach me? I am not that familiar with php. I actually don't know how to fix [#1147 ]. According to the description on the PHP manual, a random salt will be generated by password_hash() for each string hashed. We only need to upgrade the php version to above 8.0. The threat mentioned in #1147 no longer exists, even if we have not change the movim code at all. |
I've been asked to report my setup here, for I also reproduce this bug. P.S. Tried @pic2debug solution - worked like a charm |
The the issues on Movim’s proprietary issue tracker: movim/movim#1311
See the issues on Movim’s proprietary issue tracker: movim/movim#1311
See the issue on Movim’s proprietary issue tracker: movim/movim#1311
See the issue on Movim’s proprietary issue tracker: movim/movim#1311
I tried my hand at setting up a new Movim pod following INSTALL.md. Here's the software I'm using
OS: Debian 12
Web Server: Apache2 2.4.59-1
PHP: 8.2+93
PostgreSQL: 15+248
When setup the SQL database with these commands
I get this error after following the instructions and setting up the database
No passwords I created used any special or null characters. Please may I get help on this?
The text was updated successfully, but these errors were encountered: