New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ensure input passwords will be hashed even when a user doesn't exist #11095

Merged
merged 1 commit into from Aug 25, 2017

Conversation

Projects
None yet
4 participants
@ceeram
Member

ceeram commented Aug 25, 2017

While the docblock states Input passwords will be hashed even when a user doesn't exist in fact it does not. This change ensures passwords are actually hashed even when no user was found to help mitigate timing-based user enumeration attacks.

@ceeram ceeram self-assigned this Aug 25, 2017

@markstory markstory added this to the 3.5.1 milestone Aug 25, 2017

@markstory markstory self-assigned this Aug 25, 2017

@codecov-io

This comment has been minimized.

Show comment
Hide comment
@codecov-io

codecov-io Aug 25, 2017

Codecov Report

Merging #11095 into master will increase coverage by 0.05%.
The diff coverage is 100%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #11095      +/-   ##
============================================
+ Coverage     94.86%   94.91%   +0.05%     
- Complexity    12838    13059     +221     
============================================
  Files           437      437              
  Lines         32733    33062     +329     
============================================
+ Hits          31051    31380     +329     
  Misses         1682     1682
Impacted Files Coverage Δ Complexity Δ
src/Auth/BaseAuthenticate.php 96.15% <100%> (+0.15%) 18 <0> (ø) ⬇️
src/Http/ActionDispatcher.php 100% <0%> (ø) 21% <0%> (+2%) ⬆️
src/Controller/Controller.php 99.53% <0%> (+0.07%) 102% <0%> (+25%) ⬆️
src/Http/ServerRequest.php 99.65% <0%> (+0.16%) 432% <0%> (+194%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fcb8736...fdb5bcd. Read the comment docs.

codecov-io commented Aug 25, 2017

Codecov Report

Merging #11095 into master will increase coverage by 0.05%.
The diff coverage is 100%.

Impacted file tree graph

@@             Coverage Diff              @@
##             master   #11095      +/-   ##
============================================
+ Coverage     94.86%   94.91%   +0.05%     
- Complexity    12838    13059     +221     
============================================
  Files           437      437              
  Lines         32733    33062     +329     
============================================
+ Hits          31051    31380     +329     
  Misses         1682     1682
Impacted Files Coverage Δ Complexity Δ
src/Auth/BaseAuthenticate.php 96.15% <100%> (+0.15%) 18 <0> (ø) ⬇️
src/Http/ActionDispatcher.php 100% <0%> (ø) 21% <0%> (+2%) ⬆️
src/Controller/Controller.php 99.53% <0%> (+0.07%) 102% <0%> (+25%) ⬆️
src/Http/ServerRequest.php 99.65% <0%> (+0.16%) 432% <0%> (+194%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fcb8736...fdb5bcd. Read the comment docs.

@lorenzo

This comment has been minimized.

Show comment
Hide comment
@lorenzo

lorenzo Aug 25, 2017

Member

Looks good, thanks!

Member

lorenzo commented Aug 25, 2017

Looks good, thanks!

@lorenzo lorenzo merged commit d4a7300 into master Aug 25, 2017

6 checks passed

codecov/patch 100% of diff hit (target 94.86%)
Details
codecov/project 94.91% (+0.05%) compared to fcb8736
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
stickler-ci No lint errors found.

@dereuromark dereuromark deleted the time-based-attack branch Aug 25, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment