[security-core] Move to a decorator the patch to protect against long passwords

[yosmanyga]

According to CVE-2013-5958, long passwords increase the time to compute a hash. To protect systems, Symfony adds a hard limit of 4096 characters for the maximum length of a password.

But Symfony can't guarantee that this will be the unique and last problem on strings to encode.

I wonder if the patch can be moved to a decorator:

class LenghtSafeEncoder implements PasswordEncoderInterface
{
    private $encoder;

    private $length;

    public function __construct(PasswordEncoderInterface $encoder, $length = 4096)
    {
        $this->encoder = $encoder;
        $this->length = $length;
    }

    public function encodePassword($raw, $salt)
    {
        if ($this->isPasswordTooLong($raw)) {
            throw new BadCredentialsException('Invalid password.');
        }

        return $this->encoder->encodePassword($raw, $salt);
    }

    public function isPasswordValid($encoded, $raw, $salt)
    {
        if ($this->isPasswordTooLong($raw)) {
            return false;
        }

        return $this->encoder->isPasswordValid($encoded, $raw, $salt);
    }

    private function isPasswordTooLong($password)
    {
        return strlen($password) > $this->length;
    }
}

Of course, the documentation should recommend the use of the decorator as "best practices", for developers who want to protect their systems.

This way the encoders remain clean and future patches can be also added as decorators.

[fabpot]

Security is something you need by default, not as an opt-in feature. Trying to be future-proof also never works. We have no idea what's coming next. So, I'm no sure what would be the benefit of this approach. Closing.