8000 [Security] limited the password length passed to encoders · symfony/symfony@8735ba9 · GitHub
[go: up one dir, main page]
Skip to content

Commit 8735ba9

Browse files
fabpotfabpot
committed
[Security] limited the password length passed to encoders
1 parent f73944e commit 8735ba9

File tree

6 files changed

+79
-1
lines changed

6 files changed

+79
-1
lines changed

src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,8 @@
1818
*/
1919
abstract class BasePasswordEncoder implements PasswordEncoderInt 8000 erface
2020
{
21+
const MAX_PASSWORD_LENGTH = 4096;
22+
2123
/**
2224
* Demerges a merge password and salt string.
2325
*
@@ -88,4 +90,14 @@ protected function comparePasswords($password1, $password2)
8890

8991
return 0 === $result;
9092
}
93+
94+
/**
95+
* Checks if the password is too long.
96+
*
97+
* @return Boolean true if the password is too long, false otherwise
98+
*/
99+
protected function isPasswordTooLong($password)
100+
{
101+
return strlen($password) > self::MAX_PASSWORD_LENGTH;
102+
}
91103
}

src/Symfony/Component/Security/Core/Encoder/MessageDigestPasswordEncoder.php

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@
1111

1212
namespace Symfony\Component\Security\Core\Encoder;
1313

14+
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
15+
1416
/**
1517
* MessageDigestPasswordEncoder uses a message digest algorithm.
1618
*
@@ -41,6 +43,10 @@ public function __construct($algorithm = 'sha512', $encodeHashAsBase64 = true, $
4143
*/
4244
public function encodePassword($raw, $salt)
4345
{
46+
if ($this->isPasswordTooLong($raw)) {
47+
throw new BadCredentialsException('Invalid password.');
48+
}
49+
4450
if (!in_array($this->algorithm, hash_algos(), true)) {
4551
throw new \LogicException(sprintf('The algorithm "%s" is not supported.', $this->algorithm));
4652
}
@@ -61,6 +67,6 @@ public function encodePassword($raw, $salt)
6167
*/
6268
public function isPasswordValid($encoded, $raw, $salt)
6369
{
64-
return $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
70+
return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
6571
}
6672
}

src/Symfony/Component/Security/Core/Encoder/PlaintextPasswordEncoder.php

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@
1111

1212
namespace Symfony\Component\Security\Core\Encoder;
1313

14+
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
15+
1416
/**
1517
* PlaintextPasswordEncoder does not do any encoding.
1618
*
@@ -35,6 +37,10 @@ public function __construct($ignorePasswordCase = false)
3537
*/
3638
public function encodePassword($raw, $salt)
3739
{
40+
if ($this->isPasswordTooLong($raw)) {
41+
throw new BadCredentialsException('Invalid password.');
42+
}
43+
3844
return $this->mergePasswordAndSalt($raw, $salt);
3945
}
4046

@@ -43,6 +49,10 @@ public function encodePassword($raw, $salt)
4349
*/
4450
public function isPasswordValid($encoded, $raw, $salt)
4551
{
52+
if ($this->isPasswordTooLong($raw)) {
53+
return false;
54+
}
55+
4656
$pass2 = $this->mergePasswordAndSalt($raw, $salt);
4757

4858
if (!$this->ignorePasswordCase) {

src/Symfony/Component/Security/Tests/Core/Encoder/BasePasswordEncoderTest.php

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,12 @@ public function testMergePasswordAndSaltWithException()
5353
$this->invokeMergePasswordAndSalt('password', '{foo}');
5454
}
5555

56+
public function testIsPasswordTooLong()
57+
{
58+
$this->assertTrue($this->invokeIsPasswordTooLong(str_repeat('a', 10000)));
59+
$this->assertFalse($this->invokeIsPasswordTooLong(str_repeat('a', 10)));
60+
}
61+
5662
protected function invokeDemergePasswordAndSalt($password)
5763
{
5864
$encoder = new PasswordEncoder();
@@ -82,4 +88,14 @@ protected function invokeComparePasswords($p1, $p2)
8288

8389
return $m->invoke(< 1E79 span class=pl-c1>$encoder, $p1, $p2);
8490
}
91+
92+
protected function invokeIsPasswordTooLong($p)
93+
{
94+
$encoder = new PasswordEncoder();
95+
$r = new \ReflectionObject($encoder);
96+
$m = $r->getMethod('isPasswordTooLong');
97+
$m->setAccessible(true);
98+
99+
return $m->invoke($encoder, $p);
100+
}
85101
}

src/Symfony/Component/Security/Tests/Core/Encoder/MessageDigestPasswordEncoderTest.php

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,4 +42,21 @@ public function testEncodePasswordAlgorithmDoesNotExist()
4242
$encoder = new MessageDigestPasswordEncoder('foobar');
4343
$encoder->encodePassword('password', '');
4444
}
45+
46+
/**
47+
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
48+
*/
49+
public function testEncodePasswordLength()
50+
{
51+
$encoder = new MessageDigestPasswordEncoder();
52+
53+
$encoder->encodePassword(str_repeat('a', 5000), 'salt');
54+
}
55+
56+
public function testCheckPasswordLength()
57+
{
58+
$encoder = new MessageDigestPasswordEncoder();
59+
60+
$this->assertFalse($encoder->isPasswordValid('encoded', str_repeat('a', 5000), 'salt'));
61+
}
4562
}

src/Symfony/Component/Security/Tests/Core/Encoder/PlaintextPasswordEncoderTest.php

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,4 +36,21 @@ public function testEncodePassword()
3636

3737
$this->assertSame('foo', $encoder->encodePassword('foo', ''));
3838
}
39+
40+
/**
41+
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
42+
*/
43+
public function testEncodePasswordLength()
44+
{
45+
$encoder = new PlaintextPasswordEncoder();
46+
47+
$encoder->encodePassword(str_repeat('a', 5000), 'salt');
48+
}
49+
50+
public function testCheckPasswordLength()
51+
{
52+
$encoder = new PlaintextPasswordEncoder();
53+
54+
$this->assertFalse($encoder->isPasswordValid('encoded', str_repeat('a', 5000), 'salt'));
55+
}
3956
}

0 commit comments

Comments
 (0)
0