[prev in list] [next in list] [prev in thread] [next in thread]
List: php-doc-cvs
Subject: [DOC-CVS] =?utf-8?q?svn:_/phpdoc/en/trunk/reference/_password/functions/password-hash.xml_strings/fu
From: Sherif_Ramadan <googleguy () php ! net>
Date: 2014-01-28 13:10:21
Message-ID: svn-googleguy-1390914621-332747-1346672115 () svn ! php ! net
[Download RAW message or body]
googleguy Tue, 28 Jan 2014 13:10:21 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=332747
Log:
Add cautionary statement about truncation for crypt and password_hash using BCRYPT. Fixes Bug #66564.
This includes a cautionary statement that the CRYPT_BLOWFISH algorithm in crypt/password_hash functions
will truncate the input string at a maxmimum length of 72 characters. Typically not a problem for the
average use case since this is only likely used for passwords and assuming each hash has a unique salt.
However, it's still a good idea to document this behavior so that users are aware of the side effect.
Bug: https://bugs.php.net/66564 (Assigned) crypt() seems to silently discard input after a certain length
Changed paths:
U phpdoc/en/trunk/reference/password/functions/password-hash.xml
U phpdoc/en/trunk/reference/strings/functions/crypt.xml
Modified: phpdoc/en/trunk/reference/password/functions/password-hash.xml
===================================================================
--- phpdoc/en/trunk/reference/password/functions/password-hash.xml 2014-01-28 11:34:43 UTC (rev 332746)
+++ phpdoc/en/trunk/reference/password/functions/password-hash.xml 2014-01-28 13:10:21 UTC (rev 332747)
@@ -80,6 +80,16 @@
<para>
&password.parameter.password;
</para>
+ <caution>
+ <para>
+ Using the <constant>PASSWORD_BCRYPT</constant> for the
+ <parameter>algo</parameter> parameter, will result
+ in the <parameter>password</parameter> parameter being truncated to a
+ maximum length of 72 characters. This is only a concern if are using
+ the same salt to hash strings with this algorithm that are over 72
+ bytes in length, as this will result in those hashes being identical.
+ </para>
+ </caution>
</listitem>
</varlistentry>
<varlistentry>
Modified: phpdoc/en/trunk/reference/strings/functions/crypt.xml
===================================================================
--- phpdoc/en/trunk/reference/strings/functions/crypt.xml 2014-01-28 11:34:43 UTC (rev 332746)
+++ phpdoc/en/trunk/reference/strings/functions/crypt.xml 2014-01-28 13:10:21 UTC (rev 332747)
@@ -126,6 +126,15 @@
<para>
The string to be hashed.
</para>
+ <caution>
+ <para>
+ Using the <constant>CRYPT_BLOWFISH</constant> algorithm, will result
+ in the <parameter>str</parameter> parameter being truncated to a
+ maximum length of 72 characters. This is only a concern if are using
+ the same salt to hash strings with this algorithm that are over 72
+ bytes in length, as this will result in those hashes being identical.
+ </para>
+ </caution>
</listitem>
</varlistentry>
<varlistentry>
--
PHP Documentation Commits Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic