-
-
Notifications
You must be signed in to change notification settings - Fork 5.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document best practices about encoders and password validation to avoid DOS attacks #3003
Labels
Comments
may be near this section: http://symfony.com/doc/current/book/security.html#determining-the-hashed-password |
weaverryan
added a commit
that referenced
this issue
Sep 25, 2013
…protecting against attacks with custom password encoders
weaverryan
added a commit
that referenced
this issue
Sep 26, 2013
[#3003] 4096 Password length details
This should be all set now! |
This is very good ! |
weaverryan
added a commit
that referenced
this issue
Mar 8, 2014
…ssword encoders (bicpi) This PR was merged into the 2.3 branch. Discussion ---------- [Security][Authentication] Fix instructions for creating password encoders | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | 2.3+ | Fixed tickets | - Please correct me if I am wrong, but it seems that the code has changed after #3003. There is no `BasePasswordEncoder::checkPasswordLength()` method. Same seems to apply to 2.4. Maybe the implementation was changed to make it bc? Commits ------- e95c1f5 [Security][Authentication] Fix instructions for creating custom password encoders
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
See http://symfony.com/blog/cve-2013-5750-security-issue-in-fosuserbundle-login-form
The documentation should warn about the following:
4096
as of Symfony 2.4 -- see [Security] limited the password length passed to encoders symfony#9100).$this->checkPasswordLength($raw);
must be the first code executed inencodePassword()
andisPasswordValid()
. For other versions of Symfony, just copy paste the code of thecheckPasswordLength()
method found inSymfony\Component\Security\Core\Encoder\BasePasswordEncoder
.Not sure where to add these recommendations though.
The text was updated successfully, but these errors were encountered: