From fa89fc9e64446a462e83d0bee61453d67cdfa0f5 Mon Sep 17 00:00:00 2001 From: petajaros Date: Tue, 8 Mar 2011 13:28:07 -0800 Subject: [PATCH] [Security] Bugfix - Ensure that both passwords are of string type. Function comparePasswords haven't been working properly for numeric (plaintype) passwords. --- .../Component/Security/Core/Encoder/BasePasswordEncoder.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php index 58c64dbbede2..a1fe991cae33 100644 --- a/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php +++ b/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php @@ -77,6 +77,9 @@ protected function mergePasswordAndSalt($password, $salt) */ protected function comparePasswords($password1, $password2) { + settype($password1, 'string'); + settype($password2, 'string'); + if (strlen($password1) !== strlen($password2)) { return false; }