[Security] limited the password length passed to encoders #9100

fabpot · 2013-09-23T07:09:39Z

No description provided.

This PR was merged into the master branch. Discussion ---------- [Security] limited the password length passed to encoders Commits ------- f7d0ec6 [Security] limited the password length passed to encoders

stof · 2013-09-23T12:38:37Z

src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php

@@ -78,6 +80,8 @@ public function encodePassword($raw, $salt)
     */
    public function isPasswordValid($encoded, $raw, $salt)
    {
+        $this->checkPasswordLength($raw);


Instead of throwing a BadCredentialsException here (which means it has to be catched in the CurrentPasswordValidator to avoid getting a 500 error when applying the validator, which is not done currently), wouldn't it be better to return false in isPasswordValid ? This method has 2 different way to handle invalid passwords now

[Security] limited the password length passed to encoders

f7d0ec6

fabpot mentioned this pull request Sep 23, 2013

Document best practices about encoders and password validation to avoid DOS attacks symfony/symfony-docs#3003

Closed

fabpot merged commit f7d0ec6 into symfony:master Sep 23, 2013

stof reviewed Sep 23, 2013
View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[Security] limited the password length passed to encoders #9100

[Security] limited the password length passed to encoders #9100

Uh oh!

fabpot commented Sep 23, 2013

Uh oh!

stof Sep 23, 2013

Uh oh!

Uh oh!

Uh oh!

[Security] limited the password length passed to encoders #9100

[Security] limited the password length passed to encoders #9100

Uh oh!

Conversation

fabpot commented Sep 23, 2013

Uh oh!

stof Sep 23, 2013

Choose a reason for hiding this comment

Uh oh!

Uh oh!