diff --git a/ext/openssl/openssl_pwhash.c b/ext/openssl/openssl_pwhash.c index 0b439a731d1c..01f7f0124135 100644 --- a/ext/openssl/openssl_pwhash.c +++ b/ext/openssl/openssl_pwhash.c @@ -329,7 +329,7 @@ PHP_FUNCTION(openssl_password_hash) Z_PARAM_ARRAY_HT(options) ZEND_PARSE_PARAMETERS_END(); - if (strcmp(ZSTR_VAL(algo), "argon2i") && strcmp(ZSTR_VAL(algo), "argon2id")) { + if (!zend_string_equals_literal(algo, "argon2i") && !zend_string_equals_literal(algo, "argon2id")) { zend_argument_value_error(1, "must be a valid password openssl hashing algorithm"); RETURN_THROWS(); } @@ -355,7 +355,7 @@ PHP_FUNCTION(openssl_password_verify) Z_PARAM_STR(digest) ZEND_PARSE_PARAMETERS_END(); - if (strcmp(ZSTR_VAL(algo), "argon2i") && strcmp(ZSTR_VAL(algo), "argon2id")) { + if (!zend_string_equals_literal(algo, "argon2i") && !zend_string_equals_literal(algo, "argon2id")) { zend_argument_value_error(1, "must be a valid password openssl hashing algorithm"); RETURN_THROWS(); } diff --git a/ext/openssl/tests/password_algo_null_bytes.phpt b/ext/openssl/tests/password_algo_null_bytes.phpt new file mode 100644 index 000000000000..df5d96c4114f --- /dev/null +++ b/ext/openssl/tests/password_algo_null_bytes.phpt @@ -0,0 +1,33 @@ +--TEST-- +OpenSSL password functions reject algorithm names containing NUL bytes +--EXTENSIONS-- +openssl +--SKIPIF-- + +--FILE-- +getMessage(), PHP_EOL; + } + + try { + openssl_password_verify($algo, "secret", "digest"); + } catch (ValueError $e) { + echo $e->getMessage(), PHP_EOL; + } +} + +?> +--EXPECT-- +openssl_password_hash(): Argument #1 ($algo) must be a valid password openssl hashing algorithm +openssl_password_verify(): Argument #1 ($algo) must be a valid password openssl hashing algorithm +openssl_password_hash(): Argument #1 ($algo) must be a valid password openssl hashing algorithm +openssl_password_verify(): Argument #1 ($algo) must be a valid password openssl hashing algorithm