Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 5acf549

Browse files
David Brooksnicolas-grekas
David Brooks
authored and
nicolas-grekas
committed
[Security/Core] Fix checking for SHA256/SHA512 passwords
1 parent f75e9d5 commit 5acf549

File tree

4 files changed

+23
-5
lines changed

4 files changed

+23
-5
lines changed

src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -80,9 +80,9 @@ public function isPasswordValid($encoded, $raw, $salt): bool
8080
return false;
8181
}
8282

83-
if (0 === strpos($encoded, '$2')) {
83+
if (0 !== strpos($encoded, '$argon')) {
8484
// BCrypt encodes only the first 72 chars
85-
return 72 >= \strlen($raw) && password_verify($raw, $encoded);
85+
return (72 >= \strlen($raw) || 0 !== strpos($encoded, '$2')) && password_verify($raw, $encoded);
8686
}
8787

8888
if (\extension_loaded('sodium') && version_compare(\SODIUM_LIBRARY_VERSION, '1.0.14', '>=')) {

src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -80,9 +80,9 @@ public function isPasswordValid($encoded, $raw, $salt): bool
8080
return false;
8181
}
8282

83-
if (72 >= \strlen($raw) && 0 === strpos($encoded, '$2')) {
84-
// Accept validating BCrypt passwords for seamless migrations
85-
return password_verify($raw, $encoded);
83+
// Accept validating non-argon passwords for seamless migrations
84+
if (0 !== strpos($encoded, '$argon')) {
85+
return (72 >= \strlen($raw) || 0 !== strpos($encoded, '$2')) && password_verify($raw, $encoded);
8686
}
8787

8888
if (\function_exists('sodium_crypto_pwhash_str_verify')) {

src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,15 @@ public function testValidation()
5555
$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
5656
}
5757

58+
public function testNonArgonValidation()
59+
{
60+
$encoder = new NativePasswordEncoder();
61+
$this->assertTrue($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'password', null));
62+
$this->assertFalse($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'anotherPassword', null));
63+
$this->assertTrue($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'password', null));
64+
$this->assertFalse($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'anotherPassword', null));
65+
}
66+
5867
public function testConfiguredAlgorithm()
5968
{
6069
$encoder = new NativePasswordEncoder(null, null, null, PASSWORD_BCRYPT);

src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,15 @@ public function testBCryptValidation()
3737
$this->assertTrue($encoder->isPasswordValid('$2y$04$M8GDODMoGQLQRpkYCdoJh.lbiZPee3SZI32RcYK49XYTolDGwoRMm', 'abc', null));
3838
}
3939

40+
public function testNonArgonValidation()
41+
{
42+
$encoder = new SodiumPasswordEncoder();
43+
$this->assertTrue($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'password', null));
44+
$this->assertFalse($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'anotherPassword', null));
45+
$this->assertTrue($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'password', null));
46+
$this->assertFalse($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'anotherPassword', null));
47+
}
48+
4049
public function testEncodePasswordLength()
4150
{
4251
$this->expectException('Symfony\Component\Security\Core\Exception\BadCredentialsException');

0 commit comments

Comments
 (0)