Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.6.4

Bug #9286 Should use strcmp not == to compare passwords
Submitted: 2006-11-09 08:03 UTC Modified: 2006-12-16 08:36 UTC
From: addw at phcomp dot co dot uk Assigned: aashley
Status: Closed Package: Auth (version 1.4.1)
PHP Version: Irrelevant OS:
Roadmaps: (Not assigned)    
Subscription  


 [2006-11-09 08:03 UTC] addw at phcomp dot co dot uk (alain williams)
Description: ------------ In Auth/Container.php the function verifyPassword() uses == to compare passwords (or the md5/crypted equivalents). This could result in a false equality due to php deciding that they are numeric strings, eg if one is "05" and the other "5". OK: this is most likely to happen in the 'none' encrypted case, but could theoretically in md5/crypt. strcmp() should be used to compare these strings. Test script: --------------- None, I read the code.

Comments

 [2006-11-09 20:30 UTC] aashley at php dot net (Adam Ashley)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. I used (string)$password1 === (string)$password2 as it is 4 to 5 times as fast as strcmp yet still gives the same results.
 [2006-11-12 06:11 UTC] addw at phcomp dot co dot uk
Sorry Adam that doesn't fix it. Execute the following code to see what I mean: $a = "0001"; $b = "01"; var_dump((string)$a == (string)$b); var_dump(!strcmp($a, $b));
 [2006-11-12 19:54 UTC] aashley at php dot net (Adam Ashley)
which is why I'm not using that code. try running this: $a = "0001"; $b = "01"; var_dump((string)$a === (string)$b); var_dump(!strcmp($a, $b));