From 4a7ceb9d6427f8d368f1a8739267b1f8310ec201 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Fri, 29 Mar 2024 15:27:59 +0000
Subject: [PATCH 3/4] Fix bug GHSA-q6x7-frmf-grcw: password_verify can
 erroneously return true

Disallow null character in bcrypt password

(cherry picked from commit 0ba5229a3f7572846e91c8f5382e87785f543826)
(cherry picked from commit 81794c73068d9a44bf109bbcc9793e7b56a1c051)
Upstream-Status: Backport [0ba5229a3f7572846e91c8f5382e87785f543826, 81794c73068d9a44bf109bbcc9793e7b56a1c051]
---
 ext/standard/password.c                                 | 5 +++++
 ext/standard/tests/password/password_bcrypt_errors.phpt | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/ext/standard/password.c b/ext/standard/password.c
index 9fe7fb1a422..af80670246a 100644
--- a/ext/standard/password.c
+++ b/ext/standard/password.c
@@ -260,6 +260,11 @@ static zend_string* php_password_bcrypt_hash(const zend_string *password, zend_a
 	zval *zcost;
 	zend_long cost = PHP_PASSWORD_BCRYPT_COST;
 
+	if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
+		php_error_docref(NULL, E_WARNING, "Bcrypt password must not contain null character");
+		return NULL;
+	}
+
 	if (options && (zcost = zend_hash_str_find(options, "cost", sizeof("cost")-1)) != NULL) {
 		cost = zval_get_long(zcost);
 	}
diff --git a/ext/standard/tests/password/password_bcrypt_errors.phpt b/ext/standard/tests/password/password_bcrypt_errors.phpt
index a0826080e62..f95b72670ae 100644
--- a/ext/standard/tests/password/password_bcrypt_errors.phpt
+++ b/ext/standard/tests/password/password_bcrypt_errors.phpt
@@ -16,6 +16,8 @@ var_dump(password_hash("foo", PASSWORD_BCRYPT, array("salt" => 123)));
 
 var_dump(password_hash("foo", PASSWORD_BCRYPT, array("cost" => "foo")));
 
+var_dump(password_hash("null\0password", PASSWORD_BCRYPT));
+
 ?>
 --EXPECTF--
 Warning: password_hash(): Invalid bcrypt cost parameter specified: 3 in %s on line %d
@@ -41,3 +43,7 @@ NULL
 
 Warning: password_hash(): Invalid bcrypt cost parameter specified: 0 in %s on line %d
 NULL
+
+Warning: password_hash(): Bcrypt password must not contain null character in %s on line %d
+NULL
+
--