bug #40993 [Security] [Security/Core] fix checking for bcrypt (nicolas-grekas)
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] [Security/Core] fix checking for bcrypt
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Spotted while working on #40920
Because of the logic in the constructor, if bcrypt is used, it's not cast to string.
Commits
-------
f01ea99254
[Security/Core] fix checking for bcrypt
This commit is contained in:
commit
9b1e941fbe
@ -51,11 +51,11 @@ final class NativePasswordEncoder implements PasswordEncoderInterface, SelfSalti
|
|||||||
$algos = [1 => \PASSWORD_BCRYPT, '2y' => \PASSWORD_BCRYPT];
|
$algos = [1 => \PASSWORD_BCRYPT, '2y' => \PASSWORD_BCRYPT];
|
||||||
|
|
||||||
if (\defined('PASSWORD_ARGON2I')) {
|
if (\defined('PASSWORD_ARGON2I')) {
|
||||||
$this->algo = $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;
|
$this->algo = $algos[2] = $algos['argon2i'] = \PASSWORD_ARGON2I;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (\defined('PASSWORD_ARGON2ID')) {
|
if (\defined('PASSWORD_ARGON2ID')) {
|
||||||
$this->algo = $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;
|
$this->algo = $algos[3] = $algos['argon2id'] = \PASSWORD_ARGON2ID;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (null !== $algo) {
|
if (null !== $algo) {
|
||||||
@ -75,7 +75,7 @@ final class NativePasswordEncoder implements PasswordEncoderInterface, SelfSalti
|
|||||||
*/
|
*/
|
||||||
public function encodePassword($raw, $salt): string
|
public function encodePassword($raw, $salt): string
|
||||||
{
|
{
|
||||||
if (\strlen($raw) > self::MAX_PASSWORD_LENGTH || ((string) \PASSWORD_BCRYPT === $this->algo && 72 < \strlen($raw))) {
|
if (\strlen($raw) > self::MAX_PASSWORD_LENGTH || (\PASSWORD_BCRYPT === $this->algo && 72 < \strlen($raw))) {
|
||||||
throw new BadCredentialsException('Invalid password.');
|
throw new BadCredentialsException('Invalid password.');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Reference in New Issue
Block a user