Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TASK: Use proper dummy hash in PersistedUsernamePasswordProvider #1495

Merged
merged 2 commits into from Jan 15, 2019
Merged
Changes from 1 commit
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.
+1 −1
Diff settings

Always

Just for now

@@ -97,7 +97,7 @@ public function authenticate(TokenInterface $authenticationToken)
$authenticationToken->setAuthenticationStatus(TokenInterface::WRONG_CREDENTIALS);
if ($account === null) {
$this->hashService->validatePassword($credentials['password'], 'bcrypt=>$2a$14$DummySaltToPreventTim,.ingAttacksOnThisProvider');
$this->hashService->validatePassword($credentials['password'], 'bcrypt=>$2a$16$RW.NZM/uP3mC8rsXKJGuN.2pG52thRp5w39NFO.ShmYWV7mJQp0rC');
This conversation was marked as resolved by kdambekalns

This comment has been minimized.

Copy link
@bwaidelich

bwaidelich Jan 14, 2019

Member
Suggested change
$this->hashService->validatePassword($credentials['password'], 'bcrypt=>$2a$16$RW.NZM/uP3mC8rsXKJGuN.2pG52thRp5w39NFO.ShmYWV7mJQp0rC');
// validate the account anyways (with a dummy salt) in order to prevent timing attacks on this provider
$this->hashService->validatePassword($credentials['password'], 'bcrypt=>$2a$16$RW.NZM/uP3mC8rsXKJGuN.2pG52thRp5w39NFO.ShmYWV7mJQp0rC');

=> Good Catch! But now that the hash does not contain the hint about the intention we might add it as inline comment

This comment has been minimized.

Copy link
@kitsunet
return;
}
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.