From 4191be3d3be76909253158a6cd35fbf3a89cfb5f Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Sat, 21 Jun 2014 16:13:13 +0300
Subject: Fix a _potential_ flaw in password_hash()

---
 system/core/compat/password.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'system/core')

diff --git a/system/core/compat/password.php b/system/core/compat/password.php
index a9355d5d0..d5a017d9a 100644
--- a/system/core/compat/password.php
+++ b/system/core/compat/password.php
@@ -145,7 +145,10 @@ if ( ! function_exists('password_hash'))
 		}
 
 		isset($options['cost']) OR $options['cost'] = 10;
-		return crypt($password, sprintf('$2y$%02d$%s', $options['cost'], $options['salt']));
+
+		return (strlen($password = crypt($password, sprintf('$2y$%02d$%s', $options['cost'], $options['salt']))) === 60)
+			? $password
+			: FALSE;
 	}
 }
 
-- 
cgit v1.2.3-24-g4f1b