Skip to content

[SecurityBundle] Passwords are not encoded when algorithm set to "true" #34738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 3, 2019
Merged

[SecurityBundle] Passwords are not encoded when algorithm set to "true" #34738

merged 1 commit into from
Dec 3, 2019

Conversation

nieuwenhuisen
Copy link

@nieuwenhuisen nieuwenhuisen commented Dec 1, 2019
edited by chalasr
Loading

Q A
Branch? 3.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #34725
License MIT
Doc PR -

If the algorithm is set to true, password will be encode as plain password.

security:
    encoders:
        App\User\User:
            algorithm: true

The reason for this is the not strict comparison of php switches.

switch ($config['algorithm']) {
            case 'plaintext':
}

true == 'plaintext' is true, so the first case is hit. My first solution was to cast the algorithm to a string, to prevent this. After some feedback I have catch this problem earlier and does not allow true as valid value to the algorithm option.

Ps. This is my first PR for Symfony, any feedback is welcome :-)!

@nieuwenhuisen nieuwenhuisen mentioned this pull request Dec 1, 2019
Closed
@derrabus
Copy link
Member

derrabus commented Dec 1, 2019

Can we catch this earlier? imho, algorithm: true shouldn't pass the config validation.

@nieuwenhuisen
Copy link
Author

Sounds reasonable. I will take a look at the config validation.

@nicolas-grekas nicolas-grekas added this to the 4.3 milestone Dec 2, 2019
@nicolas-grekas nicolas-grekas changed the base branch from master to 4.3 December 2, 2019 10:07
@nieuwenhuisen nieuwenhuisen force-pushed the fix_algorithm_true_converts_to_plain_password_encoder branch from c2926d9 to cdb0b49 Compare December 2, 2019 20:59
@nieuwenhuisen
Copy link
Author

I have reset my previous updates and change the configuration validation.
Now is true not allowed as algorithm config value.

@nieuwenhuisen nieuwenhuisen changed the title [Security] Passwords are not encoded when algorithm set to "true" [SecurityBundle] Passwords are not encoded when algorithm set to "true" Dec 2, 2019
@nieuwenhuisen nieuwenhuisen requested a review from xabbuh December 3, 2019 19:17
@chalasr chalasr force-pushed the fix_algorithm_true_converts_to_plain_password_encoder branch from 851ffb9 to d00464f Compare December 3, 2019 20:55
@chalasr chalasr modified the milestones: 4.3, 3.4 Dec 3, 2019
@chalasr chalasr force-pushed the fix_algorithm_true_converts_to_plain_password_encoder branch from d00464f to cb429cd Compare December 3, 2019 21:00
@chalasr chalasr changed the base branch from 4.3 to 3.4 December 3, 2019 21:04
@chalasr chalasr force-pushed the fix_algorithm_true_converts_to_plain_password_encoder branch from 5d593d5 to 83a5517 Compare December 3, 2019 21:05
@chalasr
Copy link
Member

chalasr commented Dec 3, 2019
edited
Loading

Rebased on 3.4 since it applies there. Congratz for your first contrib!

@chalasr
Copy link
Member

chalasr commented Dec 3, 2019

Thank you @nieuwenhuisen.

chalasr pushed a commit that referenced this pull request Dec 3, 2019
bug #34738 [SecurityBundle] Passwords are not encoded when algorithm …
59126e0 
…set to "true" (nieuwenhuisen)

This PR was merged into the 3.4 branch.

Discussion
----------

[SecurityBundle] Passwords are not encoded when algorithm set to "true"

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #34725
| License       | MIT
| Doc PR        | -

If the algorithm is set to `true`, password will be encode as plain password.

```
security:
    encoders:
        App\User\User:
            algorithm: true
```

The reason for this is the not strict comparison of php switches.

```
switch ($config['algorithm']) {
            case 'plaintext':
}
```

`true == 'plaintext'` is `true`, so the first case is hit. My first solution was to cast the algorithm to a string, to prevent this. After some feedback I have catch this problem earlier and does not allow true as valid value to the algorithm option.

Ps. This is my first PR for Symfony, any feedback is welcome :-)!

Commits
-------

83a5517 [SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
@chalasr chalasr merged commit 83a5517 into symfony:3.4 Dec 3, 2019
@mhujer
Copy link
Contributor

mhujer commented Dec 3, 2019

@nieuwenhuisen Thanks for fixing it! 👍

@nieuwenhuisen nieuwenhuisen deleted the fix_algorithm_true_converts_to_plain_password_encoder branch December 3, 2019 21:11
This was referenced Dec 19, 2019
Merged
Merged
This was referenced Jan 21, 2020
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derrabus derrabus derrabus approved these changes

@xabbuh xabbuh xabbuh approved these changes

@chalasr chalasr chalasr approved these changes

@nicolas-grekas nicolas-grekas Awaiting requested review from nicolas-grekas

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
3.4
Development

Successfully merging this pull request may close these issues.
7 participants
@nieuwenhuisen @derrabus @chalasr @mhujer @nicolas-grekas @xabbuh @carsonbot