Skip to content

[Security] remove plaintext password hasher usage#20986

Merged
javiereguiluz merged 1 commit intosymfony:6.4from
kbond:security/plaintext-hasher
May 27, 2025
Merged

[Security] remove plaintext password hasher usage#20986
javiereguiluz merged 1 commit intosymfony:6.4from
kbond:security/plaintext-hasher

Conversation

@kbond
Copy link
Copy Markdown
Member

@kbond kbond commented May 21, 2025

@carsonbot carsonbot added this to the 7.3 milestone May 21, 2025
kbond
kbond commented May 21, 2025
View reviewed changes
security/passwords.rst
memory_cost="10"
/>
</config>
<when env="test">
Copy link
Copy Markdown
Member Author

@kbond kbond May 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not super confident on these xml/php config changes - please review.

stof
stof reviewed May 21, 2025
View reviewed changes
security/passwords.rst
memory_cost="10"
/>
</config>
<when env="test">
Copy link
Copy Markdown
Member

@stof stof May 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should be <srv:when> as this code snippet defines the SecurityBundle XML namespace as the default namespace and uses the srv alias for the XML namespace of the DI component

Copy link
Copy Markdown
Member

@stof stof May 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm, actually, this XML code snippet is already a mess, as it mixes cases, sometimes using a security alias (not registered on the top-level element) for nodes of the SecurityBundle config

Copy link
Copy Markdown
Member

@javiereguiluz javiereguiluz May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What should we do here? Can this snippet be fixed easily? Otherwise, we could just remove it. Symfony plans to remove XML config support "soon", so this is not important. Thanks.

Copy link
Copy Markdown
Member Author

@kbond kbond May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd vote to remove

@javiereguiluz javiereguiluz modified the milestones: 7.3, 6.4 May 27, 2025
@javiereguiluz javiereguiluz changed the base branch from 7.3 to 6.4 May 27, 2025 06:12
@javiereguiluz javiereguiluz force-pushed the security/plaintext-hasher branch from 705251b to 1ea48c7 Compare May 27, 2025 06:12
@javiereguiluz javiereguiluz merged commit 53470f9 into symfony:6.4 May 27, 2025
3 checks passed
@javiereguiluz
Copy link
Copy Markdown
Member

javiereguiluz commented May 27, 2025

Merged! We merged it in 6.4 and up. We also removed the wrong XML config while merging. Thanks Kevin!

@nicolas-grekas nicolas-grekas mentioned this pull request May 27, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@javiereguiluz javiereguiluz javiereguiluz left review comments

+1 more reviewer

@stof stof stof left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Security Status: Reviewed

Projects

None yet

Milestone

6.4

Development

Successfully merging this pull request may close these issues.

4 participants

@kbond @javiereguiluz @stof @carsonbot