Home Original page

PHP :: Bug #50052 :: Crypt

Bug #50052 Crypt - Different Hashes on Windows and Linux on wrong Salt size
Submitted: 2009-11-02 02:39 UTC Modified: 2009-11-02 20:47 UTC
From: otaviodiniz at gmail dot com Assigned: pajoye (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3.0 OS: Windows 7
Private report: No CVE-ID: None

 [2009-11-02 02:39 UTC] otaviodiniz at gmail dot com

Description:
------------
The behave of Crypt function on Windows and Linux boxes are different.
In the sample function we create a Salt with length of 12 characters.

First, the Salt size is incorrect, if i remove one character the Salt, the result will be correct.

But with the wrong Salt size the behavior are different:

On Windows - The output is incorrect, as it shows the whole Salt without the terminator $...

On Linux - PHP strips one character of Salt into it's correct expected size, outputing correctly with the terminator $...

Reproduce code:
---------------
md5crypt("test");

function md5crypt($password)
{
  $base64_alphabet='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  .'abcdefghijklmnopqrstuvwxyz0123456789+/';
  $salt='$1$';
  for($i=0; $i<9; $i++)
  {
    $salt.=$base64_alphabet[rand(0,63)];
  }
  $salt.='$';
  echo "<pre>";
  echo "Salt:   ".$salt."<br />\r\n";
  echo "Output: ".crypt($password,$salt);
  echo "</pre>";
}

Expected result:
----------------
Salt:   $1$f+uslYF01$
Output: $1$f+uslYF0$orVloNmKSLvOeswusE0bY.
//Linux




Actual result:
--------------
Salt:   $1$XcPmtBmRG$
Output: $1$XcPmtBmRGuM82Sm1HMy0I0lX0P3nAd0
//Windows

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2009-11-02 09:46 UTC] pajoye@php.net

Cannot reproduce:

g:\php-sdk\php53\vc9\x8\php53>\test\php52ntssnap\php.exe ..\50052.php

Salt:   $1$f+uslYF01$
Output: $1$f+uslYF0$orVloNmKSLvOeswusE0bY.

Please try using VC9-x86 binaries, http://windows.php.net/snapshots/

 [2009-11-02 09:59 UTC] pajoye@php.net

Forgot to copy 5.3 output as well:

g:\php-sdk\php53\vc9\x86\php53>..\obj\Debug\php.exe ..\50052.php
Salt:   $1$f+uslYF01$
Output: $1$f+uslYF01orVloNmKSLvOeswusE0bY.

 [2009-11-02 13:57 UTC] otaviodiniz at gmail dot com

As you can see the output are different in 5.2 and 5.3 near 0$or 01or.

 [2009-11-02 20:47 UTC] pajoye@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

 [2011-04-07 12:15 UTC] catalin at aceora dot com

I what version of PHP was this implemented ?
I call the crypt function from two pc, with two different PHP versions, and i get two separate results.

Catalin