initial fix

LamentXU123 · LamentXU123 · commit 6f14bee9803e · 2026-04-08T21:37:01.000+08:00
diff --git a/ext/standard/password.c b/ext/standard/password.c
@@ -153,6 +153,12 @@ static bool php_password_bcrypt_needs_rehash(const zend_string *hash, zend_array
 
 static bool php_password_bcrypt_verify(const zend_string *password, const zend_string *hash) {
 	int status = 0;
+
+	/* password_hash() already rejects NUL bytes for bcrypt inputs. */
+	if (memchr(ZSTR_VAL(password), '\0', ZSTR_LEN(password))) {
+		return false;
+	}
+
 	zend_string *ret = php_crypt(ZSTR_VAL(password), (int)ZSTR_LEN(password), ZSTR_VAL(hash), (int)ZSTR_LEN(hash), 1);
 
 	if (!ret) {
diff --git a/ext/standard/tests/password/password_bcrypt_null_verify.phpt b/ext/standard/tests/password/password_bcrypt_null_verify.phpt
@@ -0,0 +1,14 @@
+--TEST--
+password_verify() rejects bcrypt passwords containing null bytes
+--FILE--
+<?php
+$hash = password_hash("foo", PASSWORD_BCRYPT);
+
+var_dump(password_verify("foo", $hash));
+var_dump(password_verify("foo\0bar", $hash));
+var_dump(password_verify("\0foo", $hash));
+?>
+--EXPECT--
+bool(true)
+bool(false)
+bool(false)
