[Security] Verify if a password encoded with bcrypt is no longer than 72 characters #17055
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
||
| $this->assertFalse($encoder->isPasswordValid('encoded', str_repeat('a', 5000), 'salt')); | ||
| $this->assertFalse($encoder->isPasswordValid($result, str_repeat('a', 73), 'salt')); | ||
| $this->assertTrue($encoder->isPasswordValid($result, str_repeat('a', 72), 'salt')); |
There was a problem hiding this comment.
We didn't have this assertion before. Without this there could be no length validation in isPasswordValid() and the assertion on the line before would pass anyway.
|
👍 |
| @@ -19,6 +19,8 @@ | |||
| */ | |||
| class BCryptPasswordEncoder extends BasePasswordEncoder | |||
| { | |||
| const MAX_PASSWORD_LENGTH = 72; | |||
There was a problem hiding this comment.
Maybe we could add a comment above this constant to show that this limit is not arbitrary. Something like this:
// When using bcrypt algorithm, PHP's password_hash() truncates the password length to a maximum of 72 chars.
const MAX_PASSWORD_LENGTH = 72;|
Thank you @jakzal. |
fabpot
added a commit
that referenced
this pull request
Dec 18, 2015
…longer than 72 characters (jakzal) This PR was merged into the 2.3 branch. Discussion ---------- [Security] Verify if a password encoded with bcrypt is no longer than 72 characters | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #17047 | License | MIT | Doc PR | - From the [password_hash() docs](http://php.net/password_hash): > Caution Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters. Commits ------- 0a496e7 [Security] Enable bcrypt validation and result length tests on all PHP versions 5c30266 [Security] Verify if a password encoded with bcrypt is no longer than 72 characters
nicolas-grekas
added a commit
that referenced
this pull request
Dec 22, 2015
…Christian Flothmann, xabbuh) This PR was merged into the 2.3 branch. Discussion ---------- [Security] skip bcrypt tests on incompatible platforms | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #17055 | License | MIT | Doc PR | Not all PHP versions before 5.3.7 have backported fixes that make it possible to use `password_hash()` function. Therefore, we have to skip tests on not supported platforms. Commits ------- 2a6fa7b use requires annotation 65eb188 skip bcrypt tests on incompatible platforms
This was referenced Dec 26, 2015
Merged
Merged
Merged
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
From the password_hash() docs: