]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c43179f)
Don't accept objects for options in password_hash()
authorNikita Popov <nikita.ppv@gmail.com>
Tue, 29 Oct 2019 12:20:22 +0000 (13:20 +0100)
committerNikita Popov <nikita.ppv@gmail.com>
Tue, 29 Oct 2019 12:20:22 +0000 (13:20 +0100)
This was likely a mixup of zpp modifiers in the original implementation.
Per the RFC only arrays should be accepted here.

ext/standard/password.c patch | blob | history
ext/standard/tests/password/password_hash_error.phpt patch | blob | history

diff --git a/ext/standard/password.c b/ext/standard/password.c
index ff3458275e17eedddec9552c4e31a759ad6687ea..17896e77ee6fa03eb438ff9ff97ec0f616bf229a 100644 (file)
--- a/ext/standard/password.c
+++ b/ext/standard/password.c
@@ -614,7 +614,7 @@ PHP_FUNCTION(password_needs_rehash)
                Z_PARAM_STR(hash)
                Z_PARAM_ZVAL(znew_algo)
                Z_PARAM_OPTIONAL
-               Z_PARAM_ARRAY_OR_OBJECT_HT(options)
+               Z_PARAM_ARRAY_HT(options)
        ZEND_PARSE_PARAMETERS_END();
 
        new_algo = php_password_algo_find_zval(znew_algo);
@@ -663,7 +663,7 @@ PHP_FUNCTION(password_hash)
                Z_PARAM_STR(password)
                Z_PARAM_ZVAL(zalgo)
                Z_PARAM_OPTIONAL
-               Z_PARAM_ARRAY_OR_OBJECT_HT(options)
+               Z_PARAM_ARRAY_HT(options)
        ZEND_PARSE_PARAMETERS_END();
 
        algo = php_password_algo_find_zval(zalgo);
diff --git a/ext/standard/tests/password/password_hash_error.phpt b/ext/standard/tests/password/password_hash_error.phpt
index 0eec2383c18ea8b023dd0fb08c487bd0aa72f717..cb5065490590716aa7b566a736b8eecb472b18ff 100644 (file)
--- a/ext/standard/tests/password/password_hash_error.phpt
+++ b/ext/standard/tests/password/password_hash_error.phpt
@@ -12,7 +12,11 @@ try {
 
 var_dump(password_hash("foo", array()));
 
-var_dump(password_hash("foo", 19, new StdClass));
+try {
+    var_dump(password_hash("foo", 19, new StdClass));
+} catch (TypeError $e) {
+    echo $e->getMessage(), "\n";
+}
 
 try {
     var_dump(password_hash("foo", PASSWORD_BCRYPT, "baz"));
@@ -34,8 +38,6 @@ Warning: Array to string conversion in %s on line %d
 
 Warning: password_hash(): Unknown password hashing algorithm: Array in %s on line %d
 NULL
-
-Warning: password_hash(): Unknown password hashing algorithm: 19 in %s on line %d
-NULL
+password_hash() expects parameter 3 to be array, object given
 password_hash() expects parameter 3 to be array, string given
 password_hash() expects parameter 1 to be string, array given
Unnamed repository; edit this file 'description' to name the repository.