Skip to content

[PasswordHasher] accept hashing passwords with nul bytes or longer than 72 bytes when using bcrypt #40920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 29, 2021
Merged

[PasswordHasher] accept hashing passwords with nul bytes or longer than 72 bytes when using bcrypt #40920

merged 1 commit into from
Apr 29, 2021

Conversation

nicolas-grekas
Copy link
Member

@nicolas-grekas nicolas-grekas commented Apr 23, 2021
edited
Loading

Q A
Branch? 5.x
Bug fix? yes
New feature? no
Deprecations? no
Tickets -
License MIT
Doc PR -

This limitation of bcrypt creates a risk for migrations. But we can remove it, so here we are.

@nicolas-grekas nicolas-grekas added this to the 5.3 milestone Apr 23, 2021
@nicolas-grekas nicolas-grekas requested a review from chalasr as a code owner April 23, 2021 08:42
@nicolas-grekas nicolas-grekas changed the title [PasswordHasher] accept hashing password with nul bytes or longer than 72 bytes when using bcrypt [PasswordHasher] accept hashing passwords with nul bytes or longer than 72 bytes when using bcrypt Apr 23, 2021
@nicolas-grekas nicolas-grekas force-pushed the hash-bcrypt branch 3 times, most recently from f927b8e to 2acae1d Compare April 23, 2021 08:54
chalasr
chalasr previously approved these changes Apr 23, 2021
View reviewed changes
@chalasr chalasr dismissed their stale review April 23, 2021 09:04

too fast, some tests are broken :)

chalasr
chalasr requested changes Apr 28, 2021
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some tests are broken

@nicolas-grekas
Copy link
Member Author

Green!

Status: needs review

@nicolas-grekas nicolas-grekas mentioned this pull request Apr 29, 2021
Merged
chalasr added a commit that referenced this pull request Apr 29, 2021
@chalasr
bug #40993 [Security] [Security/Core] fix checking for bcrypt (nicola…
9b1e941 
…s-grekas)

This PR was merged into the 4.4 branch.

Discussion
----------

[Security] [Security/Core] fix checking for bcrypt

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | -
| License       | MIT
| Doc PR        | -

Spotted while working on #40920

Because of the logic in the constructor, if bcrypt is used, it's not cast to string.

Commits
-------

f01ea99 [Security/Core] fix checking for bcrypt
@chalasr
Copy link
Member

chalasr commented Apr 29, 2021

Thank you @nicolas-grekas.

@chalasr chalasr merged commit 68a97d6 into symfony:5.x Apr 29, 2021
@nicolas-grekas nicolas-grekas deleted the hash-bcrypt branch April 29, 2021 21:00
@fabpot fabpot mentioned this pull request May 1, 2021
Merged
@xabbuh xabbuh mentioned this pull request Apr 13, 2024
Merged
@johnbillion johnbillion mentioned this pull request Oct 23, 2024
Closed
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosier rosier rosier requested changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Bug PasswordHasher Status: Reviewed
Projects
None yet
Milestone
5.3
Development

Successfully merging this pull request may close these issues.
4 participants
@nicolas-grekas @chalasr @rosier @carsonbot