8000 merged branch fabpot/bcrypt-salt (PR #8266) · symfony/symfony@f554ada · GitHub
[go: up one dir, main page]
Skip to content
10000

Commit f554ada

Browse files
fabpotfabpot
committed
merged branch fabpot/bcrypt-salt (PR #8266)
This PR was merged into the 2.3 branch. Discussion ---------- [Security] fixed usage of the salt for the bcrypt encoder (refs #8210) | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #8210 | License | MIT | Doc PR | n/a see #8210 Commits ------- b5ded81 [Security] fixed usage of the salt for the bcrypt encoder (refs #8210)
2 parents 6d2bec7 + b5ded81 commit f554ada

File tree

1 file changed

+11
-1
lines changed

1 file changed

+11
-1
lines changed

src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,14 +53,24 @@ public function __construct($cost)
5353
* the "$2y$" salt prefix (which is not available in the early PHP versions).
5454
* @see https://github.com/ircmaxell/password_compat/issues/10#issuecomment-11203833
5555
*
56+
* It is almost best to **not** pass a salt and let PHP generate one for you.
57+
*
5658
* @param string $raw The password to encode
5759
* @param string $salt The salt
5860
*
5961
* @return string The encoded password
62+
*
63+
* @link http://lxr.php.net/xref/PHP_5_5/ext/standard/password.c#111
6064
*/
6165
public function encodePassword($raw, $salt)
6266
{
63-
return password_hash($raw, PASSWORD_BCRYPT, array('cost' => $this->cost));
67+
$options = array('cost' => $this->cost);
68+
69+
if ($salt) {
70+
$options['salt'] = $salt;
71+
}
72+
73+
return password_hash($raw, PASSWORD_BCRYPT, $options);
6474
}
6575

6676
/**

0 commit comments

Comments
 (0)
0