Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT

On Thu, Apr 22, 2021 at 3:27 PM Niklas Keller wrote: >> Do you have a link to places where frameworks are doing this? I built a >> contrived example which I think summarizes the behavior you described here: >> https://3v4l.org/6tunp > > I have links to a library / blog post: > > https://github.co

Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT

Sara Golemon schrieb am Do., 22. Apr. 2021, 17:27: > On Thu, Apr 22, 2021 at 12:58 AM Niklas Keller wrote: > > Thank you for your work. I think this is a really good safety check to > have. I'd however go a step further and also throw on NUL in > password_verify. > > > > You seem to assume that

Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT

On Thu, Apr 22, 2021 at 11:04 AM Kamil Tekiela wrote: > > I don't like throwing exceptions for pretty much the same reasons as Nikita described. > This is a rather limited attack vector. It depends either on the user going out of their way > to make their password vulnerable or on the developer in

Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT

I don't like throwing exceptions for pretty much the same reasons as Nikita described. This is a rather limited attack vector. It depends either on the user going out of their way to make their password vulnerable or on the developer introducing the vulnerability with the use of another function ma

Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT

On Thu, Apr 22, 2021 at 12:58 AM Niklas Keller wrote: > Thank you for your work. I think this is a really good safety check to have. I'd however go a step further and also throw on NUL in password_verify. > > You seem to assume that NUL bytes as input come from the end user, but I think it's more

Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT

On Thu, Apr 22, 2021 at 3:06 AM Nikita Popov wrote: > I don't think this is a good idea. > Fair, and that objection alone is enough to merit going RFC if I decide to proceed with this. > This adds an error condition that is based on the input string, which is generally user-provided. > As there i

Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT

On Thu, Apr 22, 2021 at 3:20 AM Claude Pache wrote: > Also, the warning message you introduced contains “... this hash should be regenerated using ...”. > There is already a dedicated function for conveying that information in a coder-friendly way, > namely `password_needs_rehash()`: let’s use tha

Re: [PHP-DEV] [RFC] [Vote] Adding return types to internal methods

Hey Máté, NikiC, On Thu, Apr 22, 2021 at 12:15 PM Máté Kocsis wrote: > Overall, I see the change of reported `ReflectionMethod#getReturnType()` >> as non-problematic, and tooling around reflection would continue working as >> expected, while adding new API requires: >> > > I do think it would be

Re: [PHP-DEV] [RFC] [Vote] Adding return types to internal methods

> > Overall, I see the change of reported `ReflectionMethod#getReturnType()` > as non-problematic, and tooling around reflection would continue working as > expected, while adding new API requires: > I do think it would be problematic, and a new API is a must (either the one Nikita asked about or

Re: [PHP-DEV] [RFC] [Vote] Adding return types to internal methods

On Thu, Apr 22, 2021 at 11:51 AM Marco Pivetta wrote: > On Thu, Apr 22, 2021 at 10:37 AM Nikita Popov > wrote: > >> >> To clarify what you're actually suggesting here: Do you want to always >> have the type returned from getReturnType() >> > > Correct > > >> and only add an additional bool metho

Re: [PHP-DEV] [RFC] [Vote] Adding return types to internal methods

On Thu, Apr 22, 2021 at 10:37 AM Nikita Popov wrote: > > To clarify what you're actually suggesting here: Do you want to always > have the type returned from getReturnType() > Correct > and only add an additional bool method that tells you whether that is a > tentative or real type, so that mo

Re: [PHP-DEV] [RFC] [Vote] Adding return types to internal methods

On Thu, Apr 22, 2021 at 9:56 AM Marco Pivetta wrote: > Hey Máté, > > On Thu, Apr 22, 2021, 09:42 Máté Kocsis wrote: > > > Hi Internals, > > > > I've just opened the vote about > > https://wiki.php.net/rfc/internal_method_return_types > > and I will close it on 2021-05-06. > > > > For prior discu

Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT

> Le 22 avr. 2021 à 03:47, Sara Golemon a écrit : > > I have this notion that we've discussed this before, I'm certain I knew > that bcrypt wasn't binary safe, but someone reminded me that > password_hash() could be called with null bytes in the password itself and > that is just SCREAMING to

Re: [PHP-DEV] Binary (un)safety of password_hash() used with PASSWORD_BCRYPT

On Thu, Apr 22, 2021 at 3:48 AM Sara Golemon wrote: > I have this notion that we've discussed this before, I'm certain I knew > that bcrypt wasn't binary safe, but someone reminded me that > password_hash() could be called with null bytes in the password itself and > that is just SCREAMING to hav

Re: [PHP-DEV] [RFC] [Vote] Adding return types to internal methods

Hey Máté, On Thu, Apr 22, 2021, 09:42 Máté Kocsis wrote: > Hi Internals, > > I've just opened the vote about > https://wiki.php.net/rfc/internal_method_return_types > and I will close it on 2021-05-06. > > For prior discussion, please see https://externals.io/message/113413 Overall OK with the

[PHP-DEV] [RFC] [Vote] Adding return types to internal methods

Hi Internals, I've just opened the vote about https://wiki.php.net/rfc/internal_method_return_types and I will close it on 2021-05-06. For prior discussion, please see https://externals.io/message/113413 Regards: Máté