Skip to content

[12.x] Add validation for password_hash() failure in hashers #57368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[12.x] Add validation for password_hash() failure in hashers #57368

wants to merge 1 commit into from

Conversation

imhayatunnabi
Copy link

@imhayatunnabi imhayatunnabi commented Oct 13, 2025
edited
Loading

The password_hash() function can return false on failure (invalid
parameters, memory exhaustion, etc.), but the make() methods in both
BcryptHasher and ArgonHasher only caught Error exceptions and didn't
validate the return value. This creates:

  1. Type safety violation: Method signature indicates @return string
    but could return false
  2. Security risk: If false is stored as a hash, it could lead to
    authentication issues
  3. Silent failures: Failures would go unnoticed until unexpected
    behavior occurs

Changes

BcryptHasher.php:65-67

if ($hash === false) {
    throw new RuntimeException('Bcrypt hashing failed.');
}

ArgonHasher.php:70-72
if ($hash === false) {
    throw new RuntimeException('Argon2 hashing failed.');
}

@imhayatunnabi
[12.x] Add validation for password_hash() failure in hashers
c4a6227 
 The password_hash() function can return false when hashing fails due to  invalid parameters, memory exhaustion, or other issues. Previously, the make() methods in BcryptHasher and ArgonHasher did not check for this  failure case, which could lead to type safety violations and potential security issues if false was stored as a password hash.
@browner12
Copy link
Contributor

https://www.php.net/manual/en/function.password-hash.php

as of PHP 8.0.0, the password_hash() function always returns a string, and throws an exceptions for any of these errors.

This smells of AI generated code...

@imhayatunnabi imhayatunnabi deleted the fix/12.x-hashing branch October 13, 2025 16:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@imhayatunnabi @browner12 @taylorotwell