Document best practices about encoders and password validation to avoid DOS attacks #3003
Labels
Comments
|
may be near this section: http://symfony.com/doc/current/book/security.html#determining-the-hashed-password |
weaverryan
added a commit
that referenced
this issue
Sep 25, 2013
…protecting against attacks with custom password encoders
weaverryan
added a commit
that referenced
this issue
Sep 26, 2013
[#3003] 4096 Password length details
|
This should be all set now! |
|
This is very good ! |
weaverryan
added a commit
that referenced
this issue
Mar 8, 2014
…ssword encoders (bicpi) This PR was merged into the 2.3 branch. Discussion ---------- [Security][Authentication] Fix instructions for creating password encoders | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | 2.3+ | Fixed tickets | - Please correct me if I am wrong, but it seems that the code has changed after #3003. There is no `BasePasswordEncoder::checkPasswordLength()` method. Same seems to apply to 2.4. Maybe the implementation was changed to make it bc? Commits ------- e95c1f5 [Security][Authentication] Fix instructions for creating custom password encoders
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See http://symfony.com/blog/cve-2013-5750-security-issue-in-fosuserbundle-login-form
The documentation should warn about the following:
4096as of Symfony 2.4 -- see [Security] limited the password length passed to encoders symfony#9100).$this->checkPasswordLength($raw);must be the first code executed inencodePassword()andisPasswordValid(). For other versions of Symfony, just copy paste the code of thecheckPasswordLength()method found inSymfony\Component\Security\Core\Encoder\BasePasswordEncoder.Not sure where to add these recommendations though.
The text was updated successfully, but these errors were encountered: