Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TASK: Use proper dummy hash in PersistedUsernamePasswordProvider #1495

Merged
merged 2 commits into from Jan 15, 2019

Conversation

Projects
None yet
5 participants
@kdambekalns
Copy link
Member

kdambekalns commented Jan 14, 2019

This replaces the dummy hash used to prevent timing based attacks by
a valid hash for a random password that was never actually stored
somewhere.

This avoids problems with PHP's encryption methods. With the
previous hash, the hashing was sometimes not applied properly
and the method returns early so that the time-based information
disclosure vulnerability still exists.

TASK: Use proper dummy hash in PersistedUsernamePasswordProvider
This replaces the dummy hash used to prevent timing based attacks by
a valid has for a random password that was never actually stored
somewhere.

This avoids problems with PHP's encryption methods. With the
previous hash, the hashing was sometimes not applied properly
and the method returns early so that the time-based information
disclosure vulnerability still exists.

Fixes flow-development-security#5

@kdambekalns kdambekalns self-assigned this Jan 14, 2019

@kdambekalns kdambekalns requested review from skurfuerst and kitsunet Jan 14, 2019

@albe

This comment has been minimized.

Copy link
Member

albe commented Jan 14, 2019

Looks good, but the doc comment that Bastian suggested should be added.

TASK: Add hint on dummy hash to code
Co-Authored-By: kdambekalns <karsten@dambekalns.de>

@daniellienert daniellienert merged commit c9f848c into neos:4.3 Jan 15, 2019

2 checks passed

continuous-integration/styleci/pr The analysis has passed
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@kdambekalns kdambekalns deleted the kdambekalns:bugfix/use-valid-dummy-hash branch Feb 10, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.