bug #40993 [Security] [Security/Core] fix checking for bcrypt (nicolas-grekas)

chalasr · chalasr · commit 9b1e941fbe5c · 2021-04-29T22:40:24.000+02:00
This PR was merged into the 4.4 branch. Discussion ---------- [Security] [Security/Core] fix checking for bcrypt | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Spotted while working on #40920 Because of the logic in the constructor, if bcrypt is used, it's not cast to string. Commits ------- f01ea99 [Security/Core] fix checking for bcrypt
diff --git a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
@@ -51,11 +51,11 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos
         $algos = [1 => \PASSWORD_BCRYPT, '2y' => \PASSWORD_BCRYPT];
 
         if (\defined('PASSWORD_ARGON2I')) {
-            $this->algo = $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;
+            $this->algo = $algos[2] = $algos['argon2i'] = \PASSWORD_ARGON2I;
         }
 
         if (\defined('PASSWORD_ARGON2ID')) {
-            $this->algo = $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;
+            $this->algo = $algos[3] = $algos['argon2id'] = \PASSWORD_ARGON2ID;
         }
 
         if (null !== $algo) {
@@ -75,7 +75,7 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos
      */
     public function encodePassword($raw, $salt): string
     {
-        if (\strlen($raw) > self::MAX_PASSWORD_LENGTH || ((string) \PASSWORD_BCRYPT === $this->algo && 72 < \strlen($raw))) {
+        if (\strlen($raw) > self::MAX_PASSWORD_LENGTH || (\PASSWORD_BCRYPT === $this->algo && 72 < \strlen($raw))) {
             throw new BadCredentialsException('Invalid password.');
         }
 

Original file line number	Diff line number	Diff line change
`@@ -51,11 +51,11 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos`
`51`	`51`	`$algos = [1 => \PASSWORD_BCRYPT, '2y' => \PASSWORD_BCRYPT];`
`52`	`52`
`53`	`53`	`if (\defined('PASSWORD_ARGON2I')) {`
`54`		`- $this->algo = $algos[2] = $algos['argon2i'] = (string) \PASSWORD_ARGON2I;`
	`54`	`+ $this->algo = $algos[2] = $algos['argon2i'] = \PASSWORD_ARGON2I;`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`if (\defined('PASSWORD_ARGON2ID')) {`
`58`		`- $this->algo = $algos[3] = $algos['argon2id'] = (string) \PASSWORD_ARGON2ID;`
	`58`	`+ $this->algo = $algos[3] = $algos['argon2id'] = \PASSWORD_ARGON2ID;`
`59`	`59`	`}`
`60`	`60`
`61`	`61 7ADA`	`if (null !== $algo) {`
`@@ -75,7 +75,7 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos`
`75`	`75`	`*/`
`76`	`76`	`public function encodePassword($raw, $salt): string`
`77`	`77`	`{`
`78`		`- if (\strlen($raw) > self::MAX_PASSWORD_LENGTH \|\| ((string) \PASSWORD_BCRYPT === $this->algo && 72 < \strlen($raw))) {`
	`78`	`+ if (\strlen($raw) > self::MAX_PASSWORD_LENGTH \|\| (\PASSWORD_BCRYPT === $this->algo && 72 < \strlen($raw))) {`
`79`	`79`	`throw new BadCredentialsException('Invalid password.');`
`80`	`80`	`}`
`81`	`81`