Incorrect crypt() function behavior
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php5 (Debian) |
Fix Released
|
Unknown
|
|||
php5 (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
The CRYPT_EXT_DES algorithm seems to be enabled but not used for encryption.
The test is:
php -r "echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my passw0rd'), '_.012saltIO.
Expected output (depending on whether CRYPT_EXT_DES is enabled):
> CRYPT_EXT_DES: 1
> _.012saltIO.
OR
> CRYPT_EXT_DES: 0
> _.msUWmoj85W6
Actual output:
> CRYPT_EXT_DES: 1
> _.msUWmoj85W6
…which correstponds to standard DES encryption:
php -r "echo 'CRYPT_STD_DES: ', CRYPT_STD_DES, PHP_EOL, crypt(md5('my passw0rd'), '_.012saltIO.
> CRYPT_STD_DES: 1
> _.msUWmoj85W6
lsb_release -rd
Description: Ubuntu 12.04.1 LTS
Release: 12.04
$ apt-cache policy php5
php5:
Installed: 5.3.10-1ubuntu3.2
Candidate: 5.3.10-1ubuntu3.2
Version table:
*** 5.3.10-1ubuntu3.2 0
500 http://
500 http://
100 /var/lib/
5.
500 http://
Changed in php5 (Debian): | |
status: | Unknown → New |
Changed in php5 (Debian): | |
status: | New → Fix Released |
Can confirm that Ubuntu/Debian's behavior is different from CentOS 6:
$ php --version 319ikKPU' ), PHP_EOL;" 319ikKPU
PHP 5.3.3 (cli) (built: Jul 3 2012 16:53:21)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
$ php -r "echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my passw0rd'), '_.012saltIO.
CRYPT_EXT_DES: 1
_.012saltIO.
**
precise
# php --version 319ikKPU' ), PHP_EOL;"
PHP 5.3.10-1ubuntu3.2 with Suhosin-Patch (cli) (built: Jun 13 2012 17:20:55)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies
# php -r "echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my passw0rd'), '_.012saltIO.
CRYPT_EXT_DES: 1
_.msUWmoj85W6
**
However, this is not a regression for Ubuntu.
I tested this all the way back to hardy, which seemed to not have CRYPT_EXT_DES:
**
# php --version 319ikKPU' ), PHP_EOL;"
PHP 5.2.4-2ubuntu5.25 with Suhosin-Patch 0.9.6.2 (cli) (built: Jun 13 2012 18:36:37)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
php -r "echo 'CRYPT_EXT_DES: ', CRYPT_EXT_DES, PHP_EOL, crypt(md5('my passw0rd'), '_.012saltIO.
CRYPT_EXT_DES: 0
_.msUWmoj85W6