'[DOC-CVS] =?utf-8?q?svn:_/phpdoc/en/trunk/reference/_password/functions/password-hash.xml_strings/fu'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       php-doc-cvs
Subject:    [DOC-CVS] =?utf-8?q?svn:_/phpdoc/en/trunk/reference/_password/functions/password-hash.xml_strings/fu
From:       Sherif_Ramadan <googleguy () php ! net>
Date:       2014-01-28 13:10:21
Message-ID: svn-googleguy-1390914621-332747-1346672115 () svn ! php ! net
[Download RAW message or body]

googleguy                                Tue, 28 Jan 2014 13:10:21 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=332747

Log:
Add cautionary statement about truncation for crypt and password_hash using BCRYPT. Fixes Bug #66564.

This includes a cautionary statement that the CRYPT_BLOWFISH algorithm in crypt/password_hash functions
will truncate the input string at a maxmimum length of 72 characters. Typically not a problem for the
average use case since this is only likely used for passwords and assuming each hash has a unique salt.
However, it's still a good idea to document this behavior so that users are aware of the side effect.

Bug: https://bugs.php.net/66564 (Assigned) crypt() seems to silently discard input after a certain length
      
Changed paths:
    U   phpdoc/en/trunk/reference/password/functions/password-hash.xml
    U   phpdoc/en/trunk/reference/strings/functions/crypt.xml

Modified: phpdoc/en/trunk/reference/password/functions/password-hash.xml
===================================================================
--- phpdoc/en/trunk/reference/password/functions/password-hash.xml	2014-01-28 11:34:43 UTC (rev 332746)
+++ phpdoc/en/trunk/reference/password/functions/password-hash.xml	2014-01-28 13:10:21 UTC (rev 332747)
@@ -80,6 +80,16 @@
      <para>
       &password.parameter.password;
      </para>
+      <caution>
+       <para>
+        Using the <constant>PASSWORD_BCRYPT</constant> for the
+        <parameter>algo</parameter> parameter, will result
+        in the <parameter>password</parameter> parameter being truncated to a
+        maximum length of 72 characters. This is only a concern if are using
+        the same salt to hash strings with this algorithm that are over 72
+        bytes in length, as this will result in those hashes being identical.
+       </para>
+      </caution>
     </listitem>
    </varlistentry>
    <varlistentry>

Modified: phpdoc/en/trunk/reference/strings/functions/crypt.xml
===================================================================
--- phpdoc/en/trunk/reference/strings/functions/crypt.xml	2014-01-28 11:34:43 UTC (rev 332746)
+++ phpdoc/en/trunk/reference/strings/functions/crypt.xml	2014-01-28 13:10:21 UTC (rev 332747)
@@ -126,6 +126,15 @@
       <para>
        The string to be hashed.
       </para>
+      <caution>
+       <para>
+        Using the <constant>CRYPT_BLOWFISH</constant> algorithm, will result
+        in the <parameter>str</parameter> parameter being truncated to a
+        maximum length of 72 characters. This is only a concern if are using
+        the same salt to hash strings with this algorithm that are over 72
+        bytes in length, as this will result in those hashes being identical.
+       </para>
+      </caution>
      </listitem>
     </varlistentry>
     <varlistentry>



-- 
PHP Documentation Commits Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic