password_hash is returning wrong value on error about password_compat HOT 6 CLOSED

So you won't fix the wrong readme and documentation? Like I said, this has already lead to bugs in other applications.

from password_compat.

This is by design. The standard approach used in PHP core is to return null on error. However, password_verify was deemed sensitive enough to return false on error: see the RFC.

I'm not saying I agree 100% with it, but the standards that PHP uses on error are there for a reason. And they are only violated where security could be a concern (on verification)...

from password_compat.

i see the point about password_verify, but what about password_hash? the RFC states that it returns false on any error, but this implementation returns null on any error except the one about output length

If any error is raise, false is returned by the function.

from password_compat.

This is an issue, and it's a pretty serious one. The Laravel devs have already stumbled upon it, and I'm sure others as well.

The problem is that we're getting three mutually exclusive statements about the return value for errors:

• In your comment above, you say it should always be null.
• The RFC and the documentation say it should always be false.
• In the implementation, it's sometimes null, sometimes false.

What makes this even worse is that the password_verify() function doesn't do anything about invalid hashes. It simply returns false unless the verifcation was sucessful. So if an application ends up storing empty hashes due to the return value confusion, the affected users will be locked out silently. Nobody will realize that there's a bug until the users complain about not being able to log in despite numerous attempts.

This applies to some of the other functions as well. The documentation is different from the RFC which in turn is different from the implementation.

I think it would be helpful if you made a definite decision and then applied this to all three places (documentation, RFC, code). I'm pretty sure the usual way of how PHP indicates errors is by returning false, not null.

from password_compat.

I'm sorry, I should have said null on argument errors. This means that a mix of return values can happen depending on the cause of the error.

This was discussed on-list during the proposal stage: the first mention.

The only function which should always be false is password_verify(), as that was the only one deemed "sensitive" enough to not return null on argument failure.. And indeed, it does.

from password_compat.

@Jacques1 PHP does not document "returns NULL on parameter parsing failure" for every function - because it always applies (unless otherwise specified).

from password_compat.