Skip to content

[Security] remove plaintext password hasher usage #20986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
May 27, 2025

Conversation

memory_cost="10"
/>
</config>
<when env="test">
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not super confident on these xml/php config changes - please review.

memory_cost="10"
/>
</config>
<when env="test">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be <srv:when> as this code snippet defines the SecurityBundle XML namespace as the default namespace and uses the srv alias for the XML namespace of the DI component

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, actually, this XML code snippet is already a mess, as it mixes cases, sometimes using a security alias (not registered on the top-level element) for nodes of the SecurityBundle config

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What should we do here? Can this snippet be fixed easily? Otherwise, we could just remove it. Symfony plans to remove XML config support "soon", so this is not important. Thanks.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd vote to remove

@javiereguiluz javiereguiluz modified the milestones: 7.3, 6.4 May 27, 2025
@javiereguiluz javiereguiluz changed the base branch from 7.3 to 6.4 May 27, 2025 06:12
@javiereguiluz javiereguiluz force-pushed the security/plaintext-hasher branch from 705251b to 1ea48c7 Compare May 27, 2025 06:12
@javiereguiluz javiereguiluz merged commit 53470f9 into symfony:6.4 May 27, 2025
3 checks passed
@javiereguiluz
Copy link
Member

Merged! We merged it in 6.4 and up. We also removed the wrong XML config while merging. Thanks Kevin!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants