Fix bug GHSA-q6x7-frmf-grcw: password_verify can erroneously return true

Disallow null character in bcrypt password
php · Apr 9, 2024 · 6a5c04d · 6a5c04d
1 parent f77e579
commit 6a5c04d
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/ext/standard/password.c b/ext/standard/password.c
@@ -180,6 +180,11 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a
 	zval *zcost;
 	zend_long cost = PHP_PASSWORD_BCRYPT_COST;
 
+	if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
+		zend_value_error("Bcrypt password must not contain null character");
+		return NULL;
+	}
+
 	if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) {
 		cost = zval_get_long(zcost);
 	}

diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
@@ -14,7 +14,14 @@ try {
 } catch (ValueError $exception) {
     echo $exception->getMessage() . "\n";
 }
+
+try {
+    var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
+} catch (ValueError $e) {
+    echo $e->getMessage(), "\n";
+}
 ?>
 --EXPECT--
 Invalid bcrypt cost parameter specified: 3
 Invalid bcrypt cost parameter specified: 32
+Bcrypt password must not contain null character