Closed jamieburchell closed 3 years ago
I think this one could be solved by checking for NULL
or FALSE
from this return call as apparently it could be either.
Thanks for investigating this.
I just committed a fix for this here: 98cbf388efe8898bc0ec25c4c99b5711e9d283e7
This should be backwards compatible as well.
Let me know if this resolves the issue for you.
Which branch are you using? 3
What commit hash are you on? 14a9bb1
What CodeIgniter version are you using? v3
What PHP version are you using? 7.4
Describe the bug The password is erased from the database if
password_hash
is unable to hash the password, say for example, because of an error:It seems in certain circumstance the
password_hash
function may returnNULL
instead ofFALSE
, this being one such case.https://bugs.php.net/bug.php?id=77218
To Reproduce In my case, PHP 7.4 with sodium libs caused the
password_hash
to fail with a thread count of 2 when using argon2 and logging in with an existing bcrypt password, but I'm guessing any timepassword_hash
fails withNULL
this will happen.Expected behaviour This should probably be a fatal error. At the very least, it shouldn't wipe out an existing password.