bug #31763 [Security\Core] Make SodiumPasswordEncoder validate BCrypt-ed passwords (nicolas-grekas)
This PR was merged into the 4.3 branch.
Discussion
----------
[Security\Core] Make SodiumPasswordEncoder validate BCrypt-ed passwords
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #31758
| License | MIT
| Doc PR | -
Otherwise, the promise of the "auto" mode doesn't work.
Commits
-------
c0fc45682a
[Security\Core] Make SodiumPasswordEncoder validate BCrypt-ed passwords
This commit is contained in:
commit
1318d3bf51
@ -84,6 +84,11 @@ final class SodiumPasswordEncoder implements PasswordEncoderInterface, SelfSalti
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (72 >= \strlen($raw) && 0 === strpos($encoded, '$2')) {
|
||||||
|
// Accept validating BCrypt passwords for seamless migrations
|
||||||
|
return password_verify($raw, $encoded);
|
||||||
|
}
|
||||||
|
|
||||||
if (\function_exists('sodium_crypto_pwhash_str_verify')) {
|
if (\function_exists('sodium_crypto_pwhash_str_verify')) {
|
||||||
return \sodium_crypto_pwhash_str_verify($encoded, $raw);
|
return \sodium_crypto_pwhash_str_verify($encoded, $raw);
|
||||||
}
|
}
|
||||||
|
@ -31,6 +31,12 @@ class SodiumPasswordEncoderTest extends TestCase
|
|||||||
$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
|
$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testBCryptValidation()
|
||||||
|
{
|
||||||
|
$encoder = new SodiumPasswordEncoder();
|
||||||
|
$this->assertTrue($encoder->isPasswordValid('$2y$04$M8GDODMoGQLQRpkYCdoJh.lbiZPee3SZI32RcYK49XYTolDGwoRMm', 'abc', null));
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
|
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
|
||||||
*/
|
*/
|
||||||
|
Reference in New Issue
Block a user