From 5c302669eb351c9a094cb5f4d8f8f1e9d1d782f7 Mon Sep 17 00:00:00 2001
From: Jakub Zalas <jakub@zalas.pl>
Date: Thu, 17 Dec 2015 18:04:54 +0000
Subject: [PATCH] [Security] Verify if a password encoded with bcrypt is no
 longer than 72 characters

---
 .../Security/Core/Encoder/BCryptPasswordEncoder.php         | 2 ++
 .../Component/Security/Core/Encoder/BasePasswordEncoder.php | 2 +-
 .../Tests/Core/Encoder/BCryptPasswordEncoderTest.php        | 6 ++++--
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php
index d2b031999c..83ae33466e 100644
--- a/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php
+++ b/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php
@@ -19,6 +19,8 @@ use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  */
 class BCryptPasswordEncoder extends BasePasswordEncoder
 {
+    const MAX_PASSWORD_LENGTH = 72;
+
     /**
      * @var string
      */
diff --git a/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php
index 1c9ada1e64..fcf2e47088 100644
--- a/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php
+++ b/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php
@@ -95,6 +95,6 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface
      */
     protected function isPasswordTooLong($password)
     {
-        return strlen($password) > self::MAX_PASSWORD_LENGTH;
+        return strlen($password) > static::MAX_PASSWORD_LENGTH;
     }
 }
diff --git a/src/Symfony/Component/Security/Tests/Core/Encoder/BCryptPasswordEncoderTest.php b/src/Symfony/Component/Security/Tests/Core/Encoder/BCryptPasswordEncoderTest.php
index 076d954f4b..52d64a29a8 100644
--- a/src/Symfony/Component/Security/Tests/Core/Encoder/BCryptPasswordEncoderTest.php
+++ b/src/Symfony/Component/Security/Tests/Core/Encoder/BCryptPasswordEncoderTest.php
@@ -73,13 +73,15 @@ class BCryptPasswordEncoderTest extends \PHPUnit_Framework_TestCase
     {
         $encoder = new BCryptPasswordEncoder(self::VALID_COST);
 
-        $encoder->encodePassword(str_repeat('a', 5000), 'salt');
+        $encoder->encodePassword(str_repeat('a', 73), 'salt');
     }
 
     public function testCheckPasswordLength()
     {
         $encoder = new BCryptPasswordEncoder(self::VALID_COST);
+        $result = $encoder->encodePassword(str_repeat('a', 72), null);
 
-        $this->assertFalse($encoder->isPasswordValid('encoded', str_repeat('a', 5000), 'salt'));
+        $this->assertFalse($encoder->isPasswordValid($result, str_repeat('a', 73), 'salt'));
+        $this->assertTrue($encoder->isPasswordValid($result, str_repeat('a', 72), 'salt'));
     }
 }