bug #17055 [Security] Verify if a password encoded with bcrypt is no longer than 72 characters (jakzal)
This PR was merged into the 2.3 branch. Discussion ---------- [Security] Verify if a password encoded with bcrypt is no longer than 72 characters | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #17047 | License | MIT | Doc PR | - From the [password_hash() docs](http://php.net/password_hash): > Caution Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters. Commits -------0a496e7
[Security] Enable bcrypt validation and result length tests on all PHP versions5c30266
[Security] Verify if a password encoded with bcrypt is no longer than 72 characters
This commit is contained in:
commit
68bd2c19a1
@ -19,6 +19,8 @@ use Symfony\Component\Security\Core\Exception\BadCredentialsException;
|
|||||||
*/
|
*/
|
||||||
class BCryptPasswordEncoder extends BasePasswordEncoder
|
class BCryptPasswordEncoder extends BasePasswordEncoder
|
||||||
{
|
{
|
||||||
|
const MAX_PASSWORD_LENGTH = 72;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @var string
|
* @var string
|
||||||
*/
|
*/
|
||||||
|
@ -95,6 +95,6 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface
|
|||||||
*/
|
*/
|
||||||
protected function isPasswordTooLong($password)
|
protected function isPasswordTooLong($password)
|
||||||
{
|
{
|
||||||
return strlen($password) > self::MAX_PASSWORD_LENGTH;
|
return strlen($password) > static::MAX_PASSWORD_LENGTH;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -45,9 +45,6 @@ class BCryptPasswordEncoderTest extends \PHPUnit_Framework_TestCase
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* @requires PHP 5.3.7
|
|
||||||
*/
|
|
||||||
public function testResultLength()
|
public function testResultLength()
|
||||||
{
|
{
|
||||||
$encoder = new BCryptPasswordEncoder(self::VALID_COST);
|
$encoder = new BCryptPasswordEncoder(self::VALID_COST);
|
||||||
@ -55,9 +52,6 @@ class BCryptPasswordEncoderTest extends \PHPUnit_Framework_TestCase
|
|||||||
$this->assertEquals(60, strlen($result));
|
$this->assertEquals(60, strlen($result));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* @requires PHP 5.3.7
|
|
||||||
*/
|
|
||||||
public function testValidation()
|
public function testValidation()
|
||||||
{
|
{
|
||||||
$encoder = new BCryptPasswordEncoder(self::VALID_COST);
|
$encoder = new BCryptPasswordEncoder(self::VALID_COST);
|
||||||
@ -73,13 +67,15 @@ class BCryptPasswordEncoderTest extends \PHPUnit_Framework_TestCase
|
|||||||
{
|
{
|
||||||
$encoder = new BCryptPasswordEncoder(self::VALID_COST);
|
$encoder = new BCryptPasswordEncoder(self::VALID_COST);
|
||||||
|
|
||||||
$encoder->encodePassword(str_repeat('a', 5000), 'salt');
|
$encoder->encodePassword(str_repeat('a', 73), 'salt');
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testCheckPasswordLength()
|
public function testCheckPasswordLength()
|
||||||
{
|
{
|
||||||
$encoder = new BCryptPasswordEncoder(self::VALID_COST);
|
$encoder = new BCryptPasswordEncoder(self::VALID_COST);
|
||||||
|
$result = $encoder->encodePassword(str_repeat('a', 72), null);
|
||||||
|
|
||||||
$this->assertFalse($encoder->isPasswordValid('encoded', str_repeat('a', 5000), 'salt'));
|
$this->assertFalse($encoder->isPasswordValid($result, str_repeat('a', 73), 'salt'));
|
||||||
|
$this->assertTrue($encoder->isPasswordValid($result, str_repeat('a', 72), 'salt'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user