Bcrypt password must not contain null character about movim HOT 9 CLOSED

Please do not try this in a production environment.

Movim upgraded to 0.24 and the same Bcrypt error message is still seen at login.
I edited line 157 of the app/Session.php to make the following change:

    public static function hashSession(string $username, string $password, string $host): string
    {
        // return $username . "\0" . $password . "\0" . $host;
        return $username . "\e" . $password . "\e" . $host;
    }

Finally, the bcrypt error message was not seen again. Login behavior returns to normal. I don't know if it increases the security risk. It works for me.

When we upgrade PHP to 8.2.18, PHP no longer allows us to use "\0" for the session hash.

I don't know why the '|' was replaced. Isn't that a '|' confusing? The user can set the $password , $password might have a "|" , so we don't use '|' ? What is the function of the "|" symbol? Is it just a separator? If the character is just to make the code easier to read, we can use other characters. Why did edhelas choose "\0" instead of other characters in 69c2280 ? Can someone teach me? I am not that familiar with php.

I actually don't know how to fix [#1147 ]. According to the description on the PHP manual, a random salt will be generated by password_hash() for each string hashed. We only need to upgrade the php version to above 8.0. The threat mentioned in #1147 no longer exists, even if we have not change the movim code at all.

from movim.

In app/Session.php:

    public static function hashSession(string $username, string $password, string $host): string
    {
        return $username . "\0" . $password . "\0" . $host;
    }

Frankly, this should have been a 0.24 blocker 👀

from movim.

I am not that familiar with php. Is there an issue with reverting 69c2280 ?

from movim.

Ditto.
I did a git pull on movim last weekend.

[2024-04-19T14:29:30.596724+00:00] movim.ERROR: Bcrypt password must not contain null character

Ubuntu 22.04.4 LTS
nginx version: nginx/1.18.0 (Ubuntu)
PHP 8.3.6 (cli) (built: Apr 11 2024 20:23:38) (NTS)

My instance was running fine until I upgraded my php and did a machine reboot.

There are other users within the Movim MUC that are having the issue as well.

from movim.

I have the same Bcrypt error message at login

Running Debian 12 Stable with nginx, postgres and PHP current versions.

from movim.

Seems to be the change: https://fossies.org/diffs/php/8.2.17_vs_8.2.18/ext/standard/password.c-diff.html

I am still on 8.2.17 on Fedora 38 and the issue is not happening (yet).

from movim.

I have the same Bcrypt error message at login. Manually downgraded php version does not fix errors.

Movim: v0.22.5
OS: Linux version 6.1.0-20-amd64 ([email protected]) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11)
Nginx: 1.22.1-9
PHP: 8.2.18-1~deb12u1
PostgreSQL: 15+248

from movim.

Frankly, this should have been a 0.24 blocker

👍

from movim.

I've been asked to report my setup here, for I also reproduce this bug.
OS: Archlinux
Web Server: Apache httpd 2.4.59
PHP: 8.3.6
MariaDB: 11.3.2

P.S. Tried @pic2debug solution - worked like a charm

from movim.