82 lines
2.8 KiB
Diff
82 lines
2.8 KiB
Diff
From 4a7ceb9d6427f8d368f1a8739267b1f8310ec201 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Zelenka <bukka@php.net>
|
|
Date: Fri, 29 Mar 2024 15:27:59 +0000
|
|
Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can
|
|
erroneously return true
|
|
|
|
Disallow null character in bcrypt password
|
|
|
|
(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826)
|
|
(cherry picked from commit 81794c73068d9a44bf109bbcc9793e7b56a1c051)
|
|
---
|
|
ext/standard/password.c | 5 +++++
|
|
ext/standard/tests/password/password_bcrypt_errors.phpt | 6 ++++++
|
|
2 files changed, 11 insertions(+)
|
|
|
|
diff --git a/ext/standard/password.c b/ext/standard/password.c
|
|
index 9fe7fb1a422..af80670246a 100644
|
|
--- a/ext/standard/password.c
|
|
+++ b/ext/standard/password.c
|
|
@@ -260,6 +260,11 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a
|
|
zval *zcost;
|
|
zend_long cost = PHP_PASSWORD_BCRYPT_COST;
|
|
|
|
+ if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
|
|
+ php_error_docref(NULL, E_WARNING, "Bcrypt password must not contain null character");
|
|
+ return NULL;
|
|
+ }
|
|
+
|
|
if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) {
|
|
cost = zval_get_long(zcost);
|
|
}
|
|
diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
|
|
index a0826080e62..f95b72670ae 100644
|
|
--- a/ext/standard/tests/password/password_bcrypt_errors.phpt
|
|
+++ b/ext/standard/tests/password/password_bcrypt_errors.phpt
|
|
@@ -16,6 +16,8 @@ var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => 123)));
|
|
|
|
var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => "foo")));
|
|
|
|
+var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
|
|
+
|
|
?>
|
|
--EXPECTF--
|
|
Warning: password_hash(): Invalid bcrypt cost parameter specified: 3 in %s on line %d
|
|
@@ -41,3 +43,7 @@ NULL
|
|
|
|
Warning: password_hash(): Invalid bcrypt cost parameter specified: 0 in %s on line %d
|
|
NULL
|
|
+
|
|
+Warning: password_hash(): Bcrypt password must not contain null character in %s on line %d
|
|
+NULL
|
|
+
|
|
--
|
|
2.44.0
|
|
|
|
From 027bdbc636632be49ecfad8d4191509faacb34ac Mon Sep 17 00:00:00 2001
|
|
From: Remi Collet <remi@remirepo.net>
|
|
Date: Wed, 10 Apr 2024 09:01:09 +0200
|
|
Subject: [PATCH 4/4] NEWS
|
|
|
|
(cherry picked from commit 24f77904ee2259d722559f129f96a1f145a2367b)
|
|
---
|
|
NEWS | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/NEWS b/NEWS
|
|
index d63aadc6851..96a33c21637 100644
|
|
--- a/NEWS
|
|
+++ b/NEWS
|
|
@@ -6,6 +6,8 @@ Backported from 8.1.28
|
|
- Standard:
|
|
. Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure- cookie bypass due to
|
|
partial CVE-2022-31629 fix). (CVE-2024-2756) (nielsdos)
|
|
+ . Fixed bug GHSA-h746-cjrr-wfmr (password_verify can erroneously return true,
|
|
+ opening ATO risk). (CVE-2024-3096) (Jakub Zelenka)
|
|
|
|
Backported from 8.0.30
|
|
|
|
--
|
|
2.44.0
|
|
|