Upgrade 1-11.38

2026-03-30 14:10:30 +02:00
parent f2a7e6d1fc
commit ac648ef29d
24665 changed files with 69682 additions and 2205004 deletions
@@ -17,18 +17,13 @@ use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 * @author Elnur Abdurrakhimov <elnur@elnur.pro>
 * @author Terje Bråten <terje@braten.be>
 */
-class BCryptPasswordEncoder extends BasePasswordEncoder
+class BCryptPasswordEncoder extends BasePasswordEncoder implements SelfSaltingEncoderInterface
 {
    const MAX_PASSWORD_LENGTH = 72;

-    /**
-     * @var string
-     */
    private $cost;

    /**
-     * Constructor.
-     *
     * @param int $cost The algorithmic cost that should be used
     *
     * @throws \RuntimeException         When no BCrypt encoder is available
@@ -70,13 +65,13 @@ class BCryptPasswordEncoder extends BasePasswordEncoder
            throw new BadCredentialsException('Invalid password.');
        }

-        $options = array('cost' => $this->cost);
+        $options = ['cost' => $this->cost];

        if ($salt) {
            // Ignore $salt, the auto-generated one is always the best
        }

-        return password_hash($raw, PASSWORD_BCRYPT, $options);
+        return password_hash($raw, \PASSWORD_BCRYPT, $options);
    }

    /**
@@ -30,26 +30,26 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface
    protected function demergePasswordAndSalt($mergedPasswordSalt)
    {
        if (empty($mergedPasswordSalt)) {
-            return array('', '');
+            return ['', ''];
        }

        $password = $mergedPasswordSalt;
        $salt = '';
        $saltBegins = strrpos($mergedPasswordSalt, '{');

-        if (false !== $saltBegins && $saltBegins + 1 < strlen($mergedPasswordSalt)) {
+        if (false !== $saltBegins && $saltBegins + 1 < \strlen($mergedPasswordSalt)) {
            $salt = substr($mergedPasswordSalt, $saltBegins + 1, -1);
            $password = substr($mergedPasswordSalt, 0, $saltBegins);
        }

-        return array($password, $salt);
+        return [$password, $salt];
    }

    /**
     * Merges a password and a salt.
     *
-     * @param string $password the password to be used
-     * @param string $salt     the salt to be used
+     * @param string      $password The password to be used
+     * @param string|null $salt     The salt to be used
     *
     * @return string a merged password and salt
     *
@@ -93,6 +93,6 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface
     */
    protected function isPasswordTooLong($password)
    {
-        return strlen($password) > static::MAX_PASSWORD_LENGTH;
+        return \strlen($password) > static::MAX_PASSWORD_LENGTH;
    }
 }
@@ -22,7 +22,7 @@ interface EncoderAwareInterface
     * If the method returns null, the standard way to retrieve the encoder
     * will be used instead.
     *
-     * @return string
+     * @return string|null
     */
    public function getEncoderName();
 }
@@ -33,14 +33,14 @@ class EncoderFactory implements EncoderFactoryInterface
        $encoderKey = null;

        if ($user instanceof EncoderAwareInterface && (null !== $encoderName = $user->getEncoderName())) {
-            if (!array_key_exists($encoderName, $this->encoders)) {
+            if (!\array_key_exists($encoderName, $this->encoders)) {
                throw new \RuntimeException(sprintf('The encoder "%s" was not configured.', $encoderName));
            }

            $encoderKey = $encoderName;
        } else {
            foreach ($this->encoders as $class => $encoder) {
-                if ((is_object($user) && $user instanceof $class) || (!is_object($user) && (is_subclass_of($user, $class) || $user == $class))) {
+                if ((\is_object($user) && $user instanceof $class) || (!\is_object($user) && (is_subclass_of($user, $class) || $user == $class))) {
                    $encoderKey = $class;
                    break;
                }
@@ -48,7 +48,7 @@ class EncoderFactory implements EncoderFactoryInterface
        }

        if (null === $encoderKey) {
-            throw new \RuntimeException(sprintf('No encoder has been configured for account "%s".', is_object($user) ? get_class($user) : $user));
+            throw new \RuntimeException(sprintf('No encoder has been configured for account "%s".', \is_object($user) ? \get_class($user) : $user));
        }

        if (!$this->encoders[$encoderKey] instanceof PasswordEncoderInterface) {
@@ -61,8 +61,6 @@ class EncoderFactory implements EncoderFactoryInterface
    /**
     * Creates the actual encoder instance.
     *
-     * @param array $config
-     *
     * @return PasswordEncoderInterface
     *
     * @throws \InvalidArgumentException
@@ -73,10 +71,10 @@ class EncoderFactory implements EncoderFactoryInterface
            $config = $this->getEncoderConfigFromAlgorithm($config);
        }
        if (!isset($config['class'])) {
-            throw new \InvalidArgumentException(sprintf('"class" must be set in %s.', json_encode($config)));
+            throw new \InvalidArgumentException('"class" must be set in '.json_encode($config));
        }
        if (!isset($config['arguments'])) {
-            throw new \InvalidArgumentException(sprintf('"arguments" must be set in %s.', json_encode($config)));
+            throw new \InvalidArgumentException('"arguments" must be set in '.json_encode($config));
        }

        $reflection = new \ReflectionClass($config['class']);
@@ -88,36 +86,42 @@ class EncoderFactory implements EncoderFactoryInterface
    {
        switch ($config['algorithm']) {
            case 'plaintext':
-                return array(
+                return [
                    'class' => PlaintextPasswordEncoder::class,
-                    'arguments' => array($config['ignore_case']),
-                );
+                    'arguments' => [$config['ignore_case']],
+                ];

            case 'pbkdf2':
-                return array(
+                return [
                    'class' => Pbkdf2PasswordEncoder::class,
-                    'arguments' => array(
+                    'arguments' => [
                        $config['hash_algorithm'],
                        $config['encode_as_base64'],
                        $config['iterations'],
                        $config['key_length'],
-                    ),
-                );
+                    ],
+                ];

            case 'bcrypt':
-                return array(
+                return [
                    'class' => BCryptPasswordEncoder::class,
-                    'arguments' => array($config['cost']),
-                );
+                    'arguments' => [$config['cost']],
+                ];
+
+            case 'argon2i':
+                return [
+                    'class' => Argon2iPasswordEncoder::class,
+                    'arguments' => [],
+                ];
        }

-        return array(
+        return [
            'class' => MessageDigestPasswordEncoder::class,
-            'arguments' => array(
+            'arguments' => [
                $config['algorithm'],
                $config['encode_as_base64'],
                $config['iterations'],
-            ),
-        );
+            ],
+        ];
    }
 }
@@ -25,8 +25,6 @@ class MessageDigestPasswordEncoder extends BasePasswordEncoder
    private $iterations;

    /**
-     * Constructor.
-     *
     * @param string $algorithm          The digest algorithm to use
     * @param bool   $encodeHashAsBase64 Whether to base64 encode the password hash
     * @param int    $iterations         The number of iterations to use to stretch the password hash
@@ -47,7 +45,7 @@ class MessageDigestPasswordEncoder extends BasePasswordEncoder
            throw new BadCredentialsException('Invalid password.');
        }

-        if (!in_array($this->algorithm, hash_algos(), true)) {
+        if (!\in_array($this->algorithm, hash_algos(), true)) {
            throw new \LogicException(sprintf('The algorithm "%s" is not supported.', $this->algorithm));
        }

@@ -11,6 +11,8 @@

 namespace Symfony\Component\Security\Core\Encoder;

+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+
 /**
 * PasswordEncoderInterface is the interface for all encoders.
 *
@@ -21,21 +23,26 @@ interface PasswordEncoderInterface
    /**
     * Encodes the raw password.
     *
-     * @param string $raw  The password to encode
-     * @param string $salt The salt
+     * @param string      $raw  The password to encode
+     * @param string|null $salt The salt
     *
     * @return string The encoded password
+     *
+     * @throws BadCredentialsException   If the raw password is invalid, e.g. excessively long
+     * @throws \InvalidArgumentException If the salt is invalid
     */
    public function encodePassword($raw, $salt);

    /**
     * Checks a raw password against an encoded password.
     *
-     * @param string $encoded An encoded password
-     * @param string $raw     A raw password
-     * @param string $salt    The salt
+     * @param string      $encoded An encoded password
+     * @param string      $raw     A raw password
+     * @param string|null $salt    The salt
     *
     * @return bool true if the password is valid, false otherwise
+     *
+     * @throws \InvalidArgumentException If the salt is invalid
     */
    public function isPasswordValid($encoded, $raw, $salt);
 }
@@ -34,8 +34,6 @@ class Pbkdf2PasswordEncoder extends BasePasswordEncoder
    private $length;

    /**
-     * Constructor.
-     *
     * @param string $algorithm          The digest algorithm to use
     * @param bool   $encodeHashAsBase64 Whether to base64 encode the password hash
     * @param int    $iterations         The number of iterations to use to stretch the password hash
@@ -60,7 +58,7 @@ class Pbkdf2PasswordEncoder extends BasePasswordEncoder
            throw new BadCredentialsException('Invalid password.');
        }

-        if (!in_array($this->algorithm, hash_algos(), true)) {
+        if (!\in_array($this->algorithm, hash_algos(), true)) {
            throw new \LogicException(sprintf('The algorithm "%s" is not supported.', $this->algorithm));
        }

@@ -14,7 +14,9 @@ namespace Symfony\Component\Security\Core\Encoder;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;

 /**
- * PlaintextPasswordEncoder does not do any encoding.
+ * PlaintextPasswordEncoder does not do any encoding but is useful in testing environments.
+ *
+ * As this encoder is not cryptographically secure, usage of it in production environments is discouraged.
 *
 * @author Fabien Potencier <fabien@symfony.com>
 */
@@ -23,8 +25,6 @@ class PlaintextPasswordEncoder extends BasePasswordEncoder
    private $ignorePasswordCase;

    /**
-     * Constructor.
-     *
     * @param bool $ignorePasswordCase Compare password case-insensitive
     */
    public function __construct($ignorePasswordCase = false)
@@ -20,14 +20,8 @@ use Symfony\Component\Security\Core\User\UserInterface;
 */
 class UserPasswordEncoder implements UserPasswordEncoderInterface
 {
-    /**
-     * @var EncoderFactoryInterface
-     */
    private $encoderFactory;

-    /**
-     * @param EncoderFactoryInterface $encoderFactory The encoder factory
-     */
    public function __construct(EncoderFactoryInterface $encoderFactory)
    {
        $this->encoderFactory = $encoderFactory;
@@ -48,6 +42,10 @@ class UserPasswordEncoder implements UserPasswordEncoderInterface
     */
    public function isPasswordValid(UserInterface $user, $raw)
    {
+        if (null === $user->getPassword()) {
+            return false;
+        }
+
        $encoder = $this->encoderFactory->getEncoder($user);

        return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());