Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Numeric passwords comparing bugfix #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Security] Numeric passwords comparing bugfix #203

wants to merge 1 commit into from

Conversation

petrjaros
Copy link
Contributor

Method comparePassword haven't been working for numeric (plaintype) passwords properly because inserted password was converted into integer type a and compared with stored password as a string type. Bugfix changes data type of passwords into string before comparing.

@petrjaros
[Security] Bugfix - Ensure that both passwords are of string type. Fu…
fa89fc9 
…nction comparePasswords haven't been working properly for numeric (plaintype) passwords.
stof
stof reviewed Mar 8, 2011
View reviewed changes
src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php
@@ -77,6 +77,9 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface
*/
protected function comparePasswords($password1, $password2)
{
settype($password1, 'string');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not used in other part of the framework AFAIK. You should probably cast it as a string using $password1 = (string) $password1 to be consistent with the code.

@schmittjoh
Copy link
Contributor

Can you explain why the password is not a string? I think we should fix this rather than changing the compare method.

@petrjaros
Copy link
Contributor Author

I'm using this configuration:

security:
    encoders:
        Symfony\Component\Security\Core\User\User: plaintext
    providers:
        customers:
            users:
                petr: { password: 12345, roles: [D1] }
    firewalls:
        customers:
            provider: customers
            form-login:
                check_path: /customer/login_check
                login_path: /customer/login

and when I input credentials into login form I can see in the debug window that first parameter for Symfony\Component\Security\Core\Encoder::comparePasswords() is 12345 of integer type and the second '12345' of string type. So the method always returns false.

@schmittjoh
Copy link
Contributor

Then we should cast the password to a string in the SecurityExtension when your users are set-up.

@fabpot
Copy link
Member

fabpot commented Mar 9, 2011

IIUC, we can close this pull request and expect another one with a better fix?

@schmittjoh
Copy link
Contributor

Yes, I'll close it.

@petajaros, if you're not sure where to fix it in the SecurityExtension.php, please create a ticket on trac.symfony-project.org, and I'll fix it when I have time.

@petrjaros
Copy link
Contributor Author

I have made another one pull request with the right solution of the problem, I hope.

SofHad pushed a commit to SofHad/symfony that referenced this pull request Oct 12, 2015
@javiereguiluz
feature symfony#203 Use a modal window to confirm the blog post delet…
16cd00c 
…ion (yceruto, javiereguiluz)

This PR was merged into the master branch.

Discussion
----------

Use a modal window to confirm the blog post deletion

This pull request finished symfony#202 by making some tweaks to the design of the delete dialog.

**Before**

We used the classic Yes/No dialog mostly used in Windows systems:

![dialog_before](https://cloud.githubusercontent.com/assets/73419/9975960/6047b9c8-5ed1-11e5-81e0-a8f691a2a011.png)

**After**

I propose to use the Delete/Cancel dialog used in Apple systems, because it's more user friendly:

![dialog_after](https://cloud.githubusercontent.com/assets/73419/9975962/75aee46c-5ed1-11e5-8873-37ad97eb55f7.png)

I've just tweaked this dialog contents. The rest of the pull request is the result of the great work made by @yceruto.

Commits
-------

620162b Updated the styles for the latest changes
36e61c5 Use a modal window to confirm the blog post deletion
0a2e717 disable submit button on submit.
fecb034 rename js file
e07792d fixing file documentation
db88d34 fixing file documentation
c0aaf79 confirmation message using bootstrap modal
a41db16 using short name and statements
0a8299f avoids a DOM query for 'body' and avoids the need to wait for DOM ready
db98a4e check the show_confirmation_message value
86d4f1c using event delegation
d731ee8 removed multi-purpose variables
775ddba removing old code
167e3a1 confirmation message now listen from submit event of the form
fd91b05 Removed return statement and improving the code.
40e771d Fixing translation position
f6aa107 feature symfony#191 Add confirmation message before to delete a post
@mcitdev mcitdev mentioned this pull request Jul 10, 2017
Closed
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@petrjaros @schmittjoh @fabpot @stof