merged branch fabpot/bcrypt-salt (PR #8266)
This PR was merged into the 2.3 branch.
Discussion
----------
[Security] fixed usage of the salt for the bcrypt encoder (refs #8210)
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #8210
| License | MIT
| Doc PR | n/a
see #8210
Commits
-------
b5ded81
[Security] fixed usage of the salt for the bcrypt encoder (refs #8210)
This commit is contained in:
commit
f554ada374
@ -53,14 +53,24 @@ class BCryptPasswordEncoder extends BasePasswordEncoder
|
|||||||
* the "$2y$" salt prefix (which is not available in the early PHP versions).
|
* the "$2y$" salt prefix (which is not available in the early PHP versions).
|
||||||
* @see https://github.com/ircmaxell/password_compat/issues/10#issuecomment-11203833
|
* @see https://github.com/ircmaxell/password_compat/issues/10#issuecomment-11203833
|
||||||
*
|
*
|
||||||
|
* It is almost best to **not** pass a salt and let PHP generate one for you.
|
||||||
|
*
|
||||||
* @param string $raw The password to encode
|
* @param string $raw The password to encode
|
||||||
* @param string $salt The salt
|
* @param string $salt The salt
|
||||||
*
|
*
|
||||||
* @return string The encoded password
|
* @return string The encoded password
|
||||||
|
*
|
||||||
|
* @link http://lxr.php.net/xref/PHP_5_5/ext/standard/password.c#111
|
||||||
*/
|
*/
|
||||||
public function encodePassword($raw, $salt)
|
public function encodePassword($raw, $salt)
|
||||||
{
|
{
|
||||||
return password_hash($raw, PASSWORD_BCRYPT, array('cost' => $this->cost));
|
$options = array('cost' => $this->cost);
|
||||||
|
|
||||||
|
if ($salt) {
|
||||||
|
$options['salt'] = $salt;
|
||||||
|
}
|
||||||
|
|
||||||
|
return password_hash($raw, PASSWORD_BCRYPT, $options);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
Reference in New Issue
Block a user