from Hacker News

Ask HN: PHP password_hash exits on null byte character

by iio7 on 6/15/24, 12:18 PM with 3 comments

For some reason the documentation does not mention this, but if you succeed in sending the null byte character to password_hash with the default Bcrypt algortihm, PHP with exit the application with a ValueError.

Normally the browser will encode the input, but you can force the issue using e.g. cURL:

printf "password=foo\0bar" | curl -X POST --data-binary @- https://example.com -H "Content-Type: application/x-www-form-urlencoded"

How do you deal with this issue?

Do you replace null byte characters or use e.g. the Argon2id algorithm to get around this problem?

by gregjor on 6/15/24, 12:52 PM
Presumably you don't allow curl requests to your application to set passwords. In practice the password probably comes from an HTML form input, which doesn't allow entering a null byte. And you could sanitize the input before passing it to the password_hash function, or reject it as invalid. A couple of PHP applications I work on have a function to check for a valid password -- printable ASCII characters only, minimum length, etc. A null byte would not pass.
If someone deliberately tries to insert a null and get it to your backend code somehow they deserve to get an error.