bug symfony#17055 [Security] Verify if a password encoded with bcrypt is no longer than 72 characters (jakzal)

fabpot · fabpot · commit 68bd2c19a182 · 2015-12-18T17:49:25.000+01:00
This PR was merged into the 2.3 branch. Discussion ---------- [Security] Verify if a password encoded with bcrypt is no longer than 72 characters | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony#17047 | License | MIT | Doc PR | - From the [password_hash() docs](http://php.net/password_hash): > Caution Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters. Commits ------- 0a496e7 [Security] Enable bcrypt validation and result length tests on all PHP versions 5c30266 [Security] Verify if a password encoded with bcrypt is no longer than 72 characters
diff --git a/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/BCryptPasswordEncoder.php
@@ -19,6 +19,8 @@
  */
 class BCryptPasswordEncoder extends BasePasswordEncoder
 {
+    const MAX_PASSWORD_LENGTH = 72;
+
     /**
      * @var string
      */
diff --git a/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/BasePasswordEncoder.php
@@ -95,6 +95,6 @@ protected function comparePasswords($password1, $password2)
      */
     protected function isPasswordTooLong($password)
     {
-        return strlen($password) > self::MAX_PASSWORD_LENGTH;
+        return strlen($password) > static::MAX_PASSWORD_LENGTH;
     }
 }
diff --git a/src/Symfony/Component/Security/Tests/Core/Encoder/BCryptPasswordEncoderTest.php b/src/Symfony/Component/Security/Tests/Core/Encoder/BCryptPasswordEncoderTest.php
@@ -45,19 +45,13 @@ public function testCostInRange()
         }
     }
 
-    /**
-     * @requires PHP 5.3.7
-     */
     public function testResultLength()
     {
         $encoder = new BCryptPasswordEncoder(self::VALID_COST);
         $result = $encoder->encodePassword(self::PASSWORD, null);
         $this->assertEquals(60, strlen($result));
     }
 
-    /**
-     * @requires PHP 5.3.7
-     */
     public function testValidation()
     {
         $encoder = new BCryptPasswordEncoder(self::VALID_COST);
@@ -73,13 +67,15 @@ public function testEncodePasswordLength()
     {
         $encoder = new BCryptPasswordEncoder(self::VALID_COST);
 
-        $encoder->encodePassword(str_repeat('a', 5000), 'salt');
+        $encoder->encodePassword(str_repeat('a', 73), 'salt');
     }
 
     public function testCheckPasswordLength()
     {
         $encoder = new BCryptPasswordEncoder(self::VALID_COST);
+        $result = $encoder->encodePassword(str_repeat('a', 72), null);
 
-        $this->assertFalse($encoder->isPasswordValid('encoded', str_repeat('a', 5000), 'salt'));
+        $this->assertFalse($encoder->isPasswordValid($result, str_repeat('a', 73), 'salt'));
+        $this->assertTrue($encoder->isPasswordValid($result, str_repeat('a', 72), 'salt'));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,8 @@`
`19`	`19`	`*/`
`20`	`20`	`class BCryptPasswordEncoder extends BasePasswordEncoder`
`21`	`21`	`{`
	`22`	`+ const MAX_PASSWORD_LENGTH = 72;`
	`23`	`+`
`22`	`24`	`/**`
`23`	`25`	`* @var string`
`24`	`26`	`*/`
Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,6 @@ protected function comparePasswords($password1, $password2)`
`95`	`95`	`*/`
`96`	`96`	`protected function isPasswordTooLong($password)`
`97`	`97`	`{`
`98`		`- return strlen($password) > self::MAX_PASSWORD_LENGTH;`
	`98`	`+ return strlen($password) > static::MAX_PASSWORD_LENGTH;`
`99`	`99`	`}`
`100`	`100`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,19 +45,13 @@ public function testCostInRange()`
`45`	`45`	`}`
`46`	`46`	`}`
`47`	`47`
`48`		`- /**`
`49`		`- * @requires PHP 5.3.7`
`50`		`- */`
`51`	`48`	`public function testResultLength()`
`52`	`49`	`{`
`53`	`50`	`$encoder = new BCryptPasswordEncoder(self::VALID_COST);`
`54`	`51`	`$result = $encoder->encodePassword(self::PASSWORD, null);`
`55`	`52`	`$this->assertEquals(60, strlen($result));`
`56`	`53`	`}`
`57`	`54`
`58`		`- /**`
`59`		`- * @requires PHP 5.3.7`
`60`		`- */`
`61`	`55`	`public function testValidation()`
`62`	`56`	`{`
`63`	`57`	`$encoder = new BCryptPasswordEncoder(self::VALID_COST);`
`@@ -73,13 +67,15 @@ public function testEncodePasswordLength()`
`73`	`67`	`{`
`74`	`68`	`$encoder = new BCryptPasswordEncoder(self::VALID_COST);`
`75`	`69`
`76`		`- $encoder->encodePassword(str_repeat('a', 5000), 'salt');`
	`70`	`+ $encoder->encodePassword(str_repeat('a', 73), 'salt');`
`77`	`71`	`}`
`78`	`72`
`79`	`73`	`public function testCheckPasswordLength()`
`80`	`74`	`{`
`81`	`75`	`$encoder = new BCryptPasswordEncoder(self::VALID_COST);`
	`76`	`+ $result = $encoder->encodePassword(str_repeat('a', 72), null);`
`82`	`77`
`83`		`- $this->assertFalse($encoder->isPasswordValid('encoded', str_repeat('a', 5000), 'salt'));`
	`78`	`+ $this->assertFalse($encoder->isPasswordValid($result, str_repeat('a', 73), 'salt'));`
	`79`	`+ $this->assertTrue($encoder->isPasswordValid($result, str_repeat('a', 72), 'salt'));`
`84`	`80`	`}`
`85`	`81`	`}`