NotificationsYou must be signed in to change notification settings
Fork0
Star0

Commit0c41762

committed

bugsymfony#3600 [Security][Authentication] Fix instructions for creating password encoders (bicpi)

This PR was merged into the 2.3 branch.Discussion----------[Security][Authentication] Fix instructions for creating password encoders| Q | A| ------------- | ---| Doc fix? | yes| New docs? | no| Applies to | 2.3+| Fixed tickets | -Please correct me if I am wrong, but it seems that the code has changed aftersymfony#3003. There is no `BasePasswordEncoder::checkPasswordLength()` method. Same seems to apply to 2.4. Maybe the implementation was changed to make it bc?Commits-------e95c1f5 [Security][Authentication] Fix instructions for creating custom password encoders

2 parentse7d5a45 +e95c1f5 commit0c41762Copy full SHA for 0c41762

File tree

1 file changed

+30

-4

lines changed

components/security
- authentication.rst

1 file changed

+30

-4

lines changed

`‎components/security/authentication.rst‎`

Lines changed: 30 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -198,10 +198,36 @@ own, it just needs to follow these rules:`
`198`	`198`
`199`	`199`	#. The class must implement:class:`Symfony\\Component\\Security\\Core\\Encoder\\PasswordEncoderInterface`;
`200`	`200`
`201`		-#. The first line in ``encodePassword`` and ``isPasswordValid`` must check
`202`		`- to make sure the password is not too long (e.g. 4096). This is for security`
`203`		- (see `CVE-2013-5750`_), and you can copy the `BasePasswordEncoder::checkPasswordLength`_
`204`		`- implementation from Symfony 2.4.`
	`201`	`+#. The implementations of`
	`202`	+:method:`Symfony\\Component\\Security\\Core\\Encoder\\PasswordEncoderInterface::encodePassword`
	`203`	`+ and`
	`204`	+:method:`Symfony\\Component\\Security\\Core\\Encoder\\PasswordEncoderInterface::isPasswordValid`
	`205`	`+ must first of all make sure the password is not too long, i.e. the password length is no longer`
	`206`	+ than 4096 characters. This is for security reasons (see `CVE-2013-5750`_), and you can use the
	`207`	+:method:`Symfony\\Component\\Security\\Core\\Encoder\\BasePasswordEncoder::isPasswordTooLong`_
	`208`	`+ method for this check:`
	`209`	`+`
	`210`	`+ use Symfony\Component\Security\Core\Exception\BadCredentialsException;`
	`211`	`+`
	`212`	`+ class FoobarEncoder extends BasePasswordEncoder`
	`213`	`+ {`
	`214`	`+ public function encodePassword($raw, $salt)`
	`215`	`+ {`
	`216`	`+ if ($this->isPasswordTooLong($raw)) {`
	`217`	`+ throw new BadCredentialsException('Invalid password.');`
	`218`	`+ }`
	`219`	`+`
	`220`	`+ // ...`
	`221`	`+ }`
	`222`	`+`
	`223`	`+ public function isPasswordValid($encoded, $raw, $salt)`
	`224`	`+ {`
	`225`	`+ if ($this->isPasswordTooLong($raw)) {`
	`226`	`+ return false;`
	`227`	`+ }`
	`228`	`+`
	`229`	`+ // ...`
	`230`	`+ }`
`205`	`231`
`206`	`232`	`Using Password Encoders`
`207`	`233`	`~~~~~~~~~~~~~~~~~~~~~~~`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0c41762

File tree

1 file changed

1 file changed

`‎components/security/authentication.rst‎`

0 commit comments