Ask HN: PHP password_hash exits on null byte character

2 points by iio7 1 year ago | 3 comments

For some reason the documentation does not mention this, but if you succeed in sending the null byte character to password_hash with the default Bcrypt algortihm, PHP with exit the application with a ValueError.

Normally the browser will encode the input, but you can force the issue using e.g. cURL:

printf "password=foo\0bar" | curl -X POST --data-binary @- https://example.com -H "Content-Type: application/x-www-form-urlencoded"

How do you deal with this issue?

Do you replace null byte characters or use e.g. the Argon2id algorithm to get around this problem?

gregjor 1 year ago |

Presumably you don't allow curl requests to your application to set passwords. In practice the password probably comes from an HTML form input, which doesn't allow entering a null byte. And you could sanitize the input before passing it to the password_hash function, or reject it as invalid. A couple of PHP applications I work on have a function to check for a valid password -- printable ASCII characters only, minimum length, etc. A null byte would not pass.

If someone deliberately tries to insert a null and get it to your backend code somehow they deserve to get an error.

stop50 1 year ago | |

you can't ensure that something isn't manipulating the request send by the browser, so its an valid concern. NEVER trust the client.

And its documented in the changelog of the function. I would catch it, send an response that is explaining that the password is invalid and implement a check that limits valid characters to be outside the non printable range.

gregjor 1 year ago | | |

That's what I wrote -- sanitize before passing to the PHP password_hash function, which obviously happens on the server.