From: Nikita Popov Date: Tue, 29 Oct 2019 12:20:22 +0000 (+0100) Subject: Don't accept objects for options in password_hash() X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=63a20cb400d064bc56254896dd8e1e921df27af8;p=php Don't accept objects for options in password_hash() This was likely a mixup of zpp modifiers in the original implementation. Per the RFC only arrays should be accepted here. --- diff --git a/ext/standard/password.c b/ext/standard/password.c index ff3458275e..17896e77ee 100644 --- a/ext/standard/password.c +++ b/ext/standard/password.c @@ -614,7 +614,7 @@ PHP_FUNCTION(password_needs_rehash) Z_PARAM_STR(hash) Z_PARAM_ZVAL(znew_algo) Z_PARAM_OPTIONAL - Z_PARAM_ARRAY_OR_OBJECT_HT(options) + Z_PARAM_ARRAY_HT(options) ZEND_PARSE_PARAMETERS_END(); new_algo = php_password_algo_find_zval(znew_algo); @@ -663,7 +663,7 @@ PHP_FUNCTION(password_hash) Z_PARAM_STR(password) Z_PARAM_ZVAL(zalgo) Z_PARAM_OPTIONAL - Z_PARAM_ARRAY_OR_OBJECT_HT(options) + Z_PARAM_ARRAY_HT(options) ZEND_PARSE_PARAMETERS_END(); algo = php_password_algo_find_zval(zalgo); diff --git a/ext/standard/tests/password/password_hash_error.phpt b/ext/standard/tests/password/password_hash_error.phpt index 0eec2383c1..cb50654905 100644 --- a/ext/standard/tests/password/password_hash_error.phpt +++ b/ext/standard/tests/password/password_hash_error.phpt @@ -12,7 +12,11 @@ try { var_dump(password_hash("foo", array())); -var_dump(password_hash("foo", 19, new StdClass)); +try { + var_dump(password_hash("foo", 19, new StdClass)); +} catch (TypeError $e) { + echo $e->getMessage(), "\n"; +} try { var_dump(password_hash("foo", PASSWORD_BCRYPT, "baz")); @@ -34,8 +38,6 @@ Warning: Array to string conversion in %s on line %d Warning: password_hash(): Unknown password hashing algorithm: Array in %s on line %d NULL - -Warning: password_hash(): Unknown password hashing algorithm: 19 in %s on line %d -NULL +password_hash() expects parameter 3 to be array, object given password_hash() expects parameter 3 to be array, string given password_hash() expects parameter 1 to be string, array given