[Security] Passwords are not encoded when algorithm set to "true" #34725
Comments
|
I have found the issue and created a PR #34738 |
chalasr
pushed a commit
that referenced
this issue
Dec 3, 2019
…set to "true" (nieuwenhuisen) This PR was merged into the 3.4 branch. Discussion ---------- [SecurityBundle] Passwords are not encoded when algorithm set to "true" | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #34725 | License | MIT | Doc PR | - If the algorithm is set to `true`, password will be encode as plain password. ``` security: encoders: App\User\User: algorithm: true ``` The reason for this is the not strict comparison of php switches. ``` switch ($config['algorithm']) { case 'plaintext': } ``` `true == 'plaintext'` is `true`, so the first case is hit. My first solution was to cast the algorithm to a string, to prevent this. After some feedback I have catch this problem earlier and does not allow true as valid value to the algorithm option. Ps. This is my first PR for Symfony, any feedback is welcome :-)! Commits ------- 83a5517 [SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Symfony version(s) affected: 4.3.8
Description
When the algorithm is set to
true, the passwords are not encoded at all (they are stored as plaintext). I would expect to get an exception instead.Additional context
When you mistype the
algorithm(e.g.bcryporaut), an exception is thrown as expected.The text was updated successfully, but these errors were encountered: