Skip to content

[Security] Make it possible to inherit MessageDigestPasswordHasher #41696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Security] Make it possible to inherit MessageDigestPasswordHasher #41696

wants to merge 1 commit into from

Conversation

ampaze
Copy link
Contributor

@ampaze ampaze commented Jun 14, 2021
edited
Loading

Q A
Branch? 5.3
Bug fix? yes
New feature? no
Deprecations? no
License MIT

Symfony 5.3 breaks existing installations that inherit MessageDigestPasswordEncoder (MessageDigestPasswordHasher) because the mergePasswordAndSalt method is private and thus cannot be overwritten.

@ampaze ampaze requested a review from chalasr as a code owner June 14, 2021 10:22
@carsonbot carsonbot added this to the 5.3 milestone Jun 14, 2021
@stof
Copy link
Member

stof commented Jun 14, 2021

What do you mean by "it breaks them" ? This private method is in a new class, not in an existing class.

@carsonbot carsonbot changed the title Make it possible to inherit MessageDigestPasswordHasher [Security] Make it possible to inherit MessageDigestPasswordHasher Jun 14, 2021
@ampaze
Copy link
Contributor Author

ampaze commented Jun 14, 2021

Well if your application uses MessageDigestPasswordEncoder then an overwritten mergePasswordAndSalt method will never be used, as the code was copied to MessageDigestPasswordHasher and MessageDigestPasswordEncoder now uses MessageDigestPasswordHasher via LegacyEncoderTrait

symfony/src/Symfony/Component/Security/Core/Encoder/LegacyEncoderTrait.php

Line 35 in 414c78b

return $this->hasher->hash($raw, $salt);

So then the next step is, like the deprecation message suggest, to use MessageDigestPasswordHasher directly.

But as mergePasswordAndSalt is private, mergePasswordAndSalt cannot also not be overwritten.

Both cases break current apps that need to overwrite mergePasswordAndSalt.

@stof
Copy link
Member

stof commented Jun 14, 2021

If MessageDigestPasswordEncoder broke its extension point, then this is indeed a bug that should be fixed.

However, I'm not sure we should make mergePasswordAndSalt an extension point in the new component. I'd rather tag MessageDigestPasswordHasher as @final. If a project wants to roll its own crypto, making it implement the full interface seems better to me (as that should not be encouraged anyway)

@ampaze
Copy link
Contributor Author

ampaze commented Jun 14, 2021
edited
Loading

I am not sure what the advantage of using private methods or @final is?

All it does is to force me to duplicate code. Making the method protected solves this and brings no disadvantages that I can see.

@stof
Copy link
Member

stof commented Jun 14, 2021

Making the method protected has a maintenance cost, as it forces us to preserve BC on it, forbidding us to refactor things in some ways (for instance, here, we will have to revert the usage of the LegacyEncoderTrait in that class).
And inheritance-based extension points are actually the more costly ones in term of backward compatibility maintenance.

@ampaze
Copy link
Contributor Author

ampaze commented Jun 14, 2021

I see. Well I tried 😉

Should I close this PR?

@derrabus
Copy link
Member

As explained by @stof, this PR is not a bugfix. And I agree with his suggestion to implement the new interface directly.

@derrabus derrabus closed this Jun 14, 2021
@stof
Copy link
Member

stof commented Jun 14, 2021

@derrabus we should still fix the regression in MessageDigestPasswordEncoder which was refactored to use the LegacyEncoderTrait without accounting for the fact that it was extendable with a protected method though.

@derrabus derrabus mentioned this pull request Jun 14, 2021
Merged
@derrabus
Copy link
Member

@stof #41703

@ampaze ampaze deleted the patch-1 branch June 14, 2021 17:12
nicolas-grekas added a commit that referenced this pull request Jun 17, 2021
@nicolas-grekas
bug #41703 [Security] Restore extension point in MessageDigestPasswor…
35bae6b 
…dEncoder (derrabus)

This PR was merged into the 5.3 branch.

Discussion
----------

[Security] Restore extension point in MessageDigestPasswordEncoder

| Q             | A
| ------------- | ---
| Branch?       | 5.3
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | #41696 (comment)
| License       | MIT
| Doc PR        | N/A

Until Symfony 5.2, it was possible to extend `MessageDigestPasswordEncoder` and override the way password and salt are merged. This broke with #39802. I've restored the old logic and added a test case to cover that scenario.

Commits
-------

4568876 [Security] Restore extension point in MessageDigestPasswordEncoder
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
5.3
Development

Successfully merging this pull request may close these issues.
5 participants
@ampaze @stof @derrabus @xabbuh @carsonbot