Skip to content

Commit 5acf549

Browse files
David Brooksnicolas-grekas
David Brooks
authored and
nicolas-grekas
committed
[Security/Core] Fix checking for SHA256/SHA512 passwords
1 parent f75e9d5 commit 5acf549

File tree

4 files changed

+23
-5
lines changed

4 files changed

+23
-5
lines changed

src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -80,9 +80,9 @@ public function isPasswordValid($encoded, $raw, $salt): bool
8080
return false;
8181
}
8282

83-
if (0 === strpos($encoded, '$2')) {
83+
if (0 !== strpos($encoded, '$argon')) {
8484
// BCrypt encodes only the first 72 chars
85-
return 72 >= \strlen($raw) && password_verify($raw, $encoded);
85+
return (72 >= \strlen($raw) || 0 !== strpos($encoded, '$2')) && password_verify($raw, $encoded);
8686
}
8787

8888
if (\extension_loaded('sodium') && version_compare(\SODIUM_LIBRARY_VERSION, '1.0.14', '>=')) {

src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -80,9 +80,9 @@ public function isPasswordValid($encoded, $raw, $salt): bool
8080
return false;
8181
}
8282

83-
if (72 >= \strlen($raw) && 0 === strpos($encoded, '$2')) {
84-
// Accept validating BCrypt passwords for seamless migrations
85-
return password_verify($raw, $encoded);
83+
// Accept validating non-argon passwords for seamless migrations
84+
if (0 !== strpos($encoded, '$argon')) {
85+
return (72 >= \strlen($raw) || 0 !== strpos($encoded, '$2')) && password_verify($raw, $encoded);
8686
}
8787

8888
if (\function_exists('sodium_crypto_pwhash_str_verify')) {

src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,15 @@ public function testValidation()
5555
$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
5656
}
5757

58+
public function testNonArgonValidation()
59+
{
60+
$encoder = new NativePasswordEncoder();
61+
$this->assertTrue($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'password', null));
62+
$this->assertFalse($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'anotherPassword', null));
63+
$this->assertTrue($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'password', null));
64+
$this->assertFalse($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'anotherPassword', null));
65+
}
66+
5867
public function testConfiguredAlgorithm()
5968
{
6069
$encoder = new NativePasswordEncoder(null, null, null, PASSWORD_BCRYPT);

src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,15 @@ public function testBCryptValidation()
3737
$this->assertTrue($encoder->isPasswordValid('$2y$04$M8GDODMoGQLQRpkYCdoJh.lbiZPee3SZI32RcYK49XYTolDGwoRMm', 'abc', null));
3838
}
3939

40+
public function testNonArgonValidation()
41+
{
42+
$encoder = new SodiumPasswordEncoder();
43+
$this->assertTrue($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'password', null));
44+
$this->assertFalse($encoder->isPasswordValid('$5$abcdefgh$ZLdkj8mkc2XVSrPVjskDAgZPGjtj1VGVaa1aUkrMTU/', 'anotherPassword', null));
45+
$this->assertTrue($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'password', null));
46+
$this->assertFalse($encoder->isPasswordValid('$6$abcdefgh$yVfUwsw5T.JApa8POvClA1pQ5peiq97DUNyXCZN5IrF.BMSkiaLQ5kvpuEm/VQ1Tvh/KV2TcaWh8qinoW5dhA1', 'anotherPassword', null));
47+
}
48+
4049
public function testEncodePasswordLength()
4150
{
4251
$this->expectException('Symfony\Component\Security\Core\Exception\BadCredentialsException');

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy