[php-maint] Bug#623220: Bug#623220: php5: crypt() function with empty salt, returns empty string

Michael Neubert debian at michael-neubert.de
Mon Apr 18 18:32:48 UTC 2011

>  The documentation says: "An optional salt string to base the hashing on. If not provided, the behaviour is defined by the algorithm implementation and can lead to unexpected results."

Ok I only read the German manual. Here the documentation differs and no hint is given for "unexpected results".
But even with this hidden hint in the English documentation I cannot agree to your argumentation. I set the salt as an empty string,
so I provided the second Argument, even if it was empty. And what I got was no hashed string. It was an empty string.

So I expected as result always an hash string, weather or not there is an empty salt-string. And under Debian lenny there was always a non-empty hash-string, even if the salt-string or both arguments were empty.

Example in Lenny:
$ php -r 'var_dump(crypt("",""));'
string(34) "$1$S5KCztpy$mu6mdwHz0weoCkGKGqX2s0"

Example in Squeeze:
$ php -r 'var_dump(crypt("",""));'
string(0) ""

Maybe you say, this is no critical behaviour. But I just migrated some servers from Lenny to Squeeze and one website
on these servers got involved by this phenomenon (login script, that did no check for empty strings, because it thought, it
gets always hash strings as results ->  worst case occured ->  login without valid password).

So in my opinion it could be advisably to bring the patch also for the current stable Squeeze release, because other
web2.0 websites with login could probably be affected / vulnerable in the same way leading to a significant
risk concerning privacy for the users of those websites.

More information about the pkg-php-maint mailing list