Skip to content

[Security] remove plaintext password hasher usage #20986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 27, 2025
Merged

[Security] remove plaintext password hasher usage #20986

merged 1 commit into from
May 27, 2025

Conversation

kbond
Copy link
Member

@kbond kbond commented May 21, 2025

@carsonbot carsonbot added this to the 7.3 milestone May 21, 2025
kbond
kbond commented May 21, 2025
View reviewed changes
security/passwords.rst
memory_cost="10"
/>
</config>
<when env="test">
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not super confident on these xml/php config changes - please review.

stof
stof reviewed May 21, 2025
View reviewed changes
security/passwords.rst
memory_cost="10"
/>
</config>
<when env="test">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be <srv:when> as this code snippet defines the SecurityBundle XML namespace as the default namespace and uses the srv alias for the XML namespace of the DI component

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, actually, this XML code snippet is already a mess, as it mixes cases, sometimes using a security alias (not registered on the top-level element) for nodes of the SecurityBundle config

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What should we do here? Can this snippet be fixed easily? Otherwise, we could just remove it. Symfony plans to remove XML config support "soon", so this is not important. Thanks.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd vote to remove

@javiereguiluz javiereguiluz modified the milestones: 7.3, 6.4 May 27, 2025
@javiereguiluz javiereguiluz changed the base branch from 7.3 to 6.4 May 27, 2025 06:12
@javiereguiluz javiereguiluz force-pushed the security/plaintext-hasher branch from 705251b to 1ea48c7 Compare May 27, 2025 06:12
@javiereguiluz javiereguiluz merged commit 53470f9 into symfony:6.4 May 27, 2025
3 checks passed
@javiereguiluz
Copy link
Member

Merged! We merged it in 6.4 and up. We also removed the wrong XML config while merging. Thanks Kevin!

@nicolas-grekas nicolas-grekas mentioned this pull request May 27, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@javiereguiluz javiereguiluz javiereguiluz left review comments

@stof stof stof left review comments

Assignees
No one assigned
Labels
Security Status: Reviewed
Projects
None yet
Milestone
6.4
Development

Successfully merging this pull request may close these issues.
4 participants
@kbond @javiereguiluz @stof @carsonbot