Skip to content

[Security] limited the password length passed to encoders #9100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 23, 2013
Merged

[Security] limited the password length passed to encoders #9100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,8 @@ public function __construct($cost)
*/
public function encodePassword($raw, $salt)
{
$this->checkPasswordLength($raw);

$options = array('cost' => $this->cost);

if ($salt) {
Expand All @@ -78,6 +80,8 @@ public function encodePassword($raw, $salt)
*/
public function isPasswordValid($encoded, $raw, $salt)
{
$this->checkPasswordLength($raw);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of throwing a BadCredentialsException here (which means it has to be catched in the CurrentPasswordValidator to avoid getting a 500 error when applying the validator, which is not done currently), wouldn't it be better to return false in isPasswordValid ? This method has 2 different way to handle invalid passwords now


return password_verify($raw, $encoded);
}
}
10 changes: 10 additions & 0 deletions src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
namespace Symfony\Component\Security\Core\Encoder;

use Symfony\Component\Security\Core\Util\StringUtils;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;

/**
* BasePasswordEncoder is the base class for all password encoders.
Expand All @@ -20,6 +21,8 @@
*/
abstract class BasePasswordEncoder implements PasswordEncoderInterface
{
const MAX_PASSWORD_LENGTH = 4096;

/**
* Demerges a merge password and salt string.
*
Expand Down Expand Up @@ -83,4 +86,11 @@ protected function comparePasswords($password1, $password2)
{
return StringUtils::equals($password1, $password2);
}

protected function checkPasswordLength($password)
{
if (strlen($password) > self::MAX_PASSWORD_LENGTH) {
throw new BadCredentialsException('Invalid password.');
}
}
}
4 changes: 4 additions & 0 deletions src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ public function __construct($algorithm = 'sha512', $encodeHashAsBase64 = true, $
*/
public function encodePassword($raw, $salt)
{
$this->checkPasswordLength($raw);

if (!in_array($this->algorithm, hash_algos(), true)) {
throw new \LogicException(sprintf('The algorithm "%s" is not supported.', $this->algorithm));
}
Expand All @@ -61,6 +63,8 @@ public function encodePassword($raw, $salt)
*/
public function isPasswordValid($encoded, $raw, $salt)
{
$this->checkPasswordLength($raw);

return $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
}
}
4 changes: 4 additions & 0 deletions src/Symfony/Component/Security/Core/Encoder/Pbkdf2PasswordEncoder.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ public function __construct($algorithm = 'sha512', $encodeHashAsBase64 = true, $
*/
public function encodePassword($raw, $salt)
{
$this->checkPasswordLength($raw);

if (!in_array($this->algorithm, hash_algos(), true)) {
throw new \LogicException(sprintf('The algorithm "%s" is not supported.', $this->algorithm));
}
Expand All @@ -72,6 +74,8 @@ public function encodePassword($raw, $salt)
*/
public function isPasswordValid($encoded, $raw, $salt)
{
$this->checkPasswordLength($raw);

return $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
}

Expand Down
4 changes: 4 additions & 0 deletions src/Symfony/Component/Security/Core/Encoder/PlaintextPasswordEncoder.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ public function __construct($ignorePasswordCase = false)
*/
public function encodePassword($raw, $salt)
{
$this->checkPasswordLength($raw);

return $this->mergePasswordAndSalt($raw, $salt);
}

Expand All @@ -43,6 +45,8 @@ public function encodePassword($raw, $salt)
*/
public function isPasswordValid($encoded, $raw, $salt)
{
$this->checkPasswordLength($raw);

$pass2 = $this->mergePasswordAndSalt($raw, $salt);

if (!$this->ignorePasswordCase) {
Expand Down
20 changes: 20 additions & 0 deletions src/Symfony/Component/Security/Core/Tests/Encoder/BCryptPasswordEncoderTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,26 @@ public function testValidation()
$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
}

/**
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
*/
public function testEncodePasswordLength()
{
$encoder = new BCryptPasswordEncoder(4);

$encoder->encodePassword(str_repeat('a', 5000), 'salt');
}

/**
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
*/
public function testCheckPasswordLength()
{
$encoder = new BCryptPasswordEncoder(4);

$encoder->isPasswordValid('encoded', str_repeat('a', 5000), 'salt');
}

private function skipIfPhpVersionIsNotSupported()
{
if (version_compare(phpversion(), '5.3.7', '<')) {
Expand Down
20 changes: 20 additions & 0 deletions src/Symfony/Component/Security/Core/Tests/Encoder/MessageDigestPasswordEncoderTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,24 @@ public function testEncodePasswordAlgorithmDoesNotExist()
$encoder = new MessageDigestPasswordEncoder('foobar');
$encoder->encodePassword('password', '');
}

/**
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
*/
public function testEncodePasswordLength()
{
$encoder = new MessageDigestPasswordEncoder();

$encoder->encodePassword(str_repeat('a', 5000), 'salt');
}

/**
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
*/
public function testCheckPasswordLength()
{
$encoder = new MessageDigestPasswordEncoder();

$encoder->isPasswordValid('encoded', str_repeat('a', 5000), 'salt');
}
}
20 changes: 20 additions & 0 deletions src/Symfony/Component/Security/Core/Tests/Encoder/Pbkdf2PasswordEncoderTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,24 @@ public function testEncodePasswordAlgorithmDoesNotExist()
$encoder = new Pbkdf2PasswordEncoder('foobar');
$encoder->encodePassword('password', '');
}

/**
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
*/
public function testEncodePasswordLength()
{
$encoder = new Pbkdf2PasswordEncoder();

$encoder->encodePassword(str_repeat('a', 5000), 'salt');
}

/**
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
*/
public function testCheckPasswordLength()
{
$encoder = new Pbkdf2PasswordEncoder();

$encoder->isPasswordValid('encoded', str_repeat('a', 5000), 'salt');
}
}
20 changes: 20 additions & 0 deletions src/Symfony/Component/Security/Core/Tests/Encoder/PlaintextPasswordEncoderTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,4 +36,24 @@ public function testEncodePassword()

$this->assertSame('foo', $encoder->encodePassword('foo', ''));
}

/**
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
*/
public function testEncodePasswordLength()
{
$encoder = new PlaintextPasswordEncoder();

$encoder->encodePassword(str_repeat('a', 5000), 'salt');
}

/**
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
*/
public function testCheckPasswordLength()
{
$encoder = new PlaintextPasswordEncoder();

$encoder->isPasswordValid('encoded', str_repeat('a', 5000), 'salt');
}
}