diff --git a/core/lib/Drupal/Core/Password/PhpPassword.php b/core/lib/Drupal/Core/Password/PhpPassword.php index 7b0968f..fd29c3a 100644 --- a/core/lib/Drupal/Core/Password/PhpPassword.php +++ b/core/lib/Drupal/Core/Password/PhpPassword.php @@ -25,6 +25,11 @@ class PhpPassword implements PasswordInterface { /** + * Maximum password length. + */ + const PASSWORD_MAX_LENGTH = 512; + + /** * The algorithmic cost that should be used. * * @var int @@ -56,7 +61,7 @@ function __construct($cost, PasswordInterface $drupal7_password) { */ public function hash($password) { // Prevent DoS attacks by refusing to hash large passwords. - if (strlen($password) > 512) { + if (strlen($password) > static::PASSWORD_MAX_LENGTH) { return FALSE; } diff --git a/core/modules/user/src/Tests/UserLoginTest.php b/core/modules/user/src/Tests/UserLoginTest.php index 2b75204..c95539e 100644 --- a/core/modules/user/src/Tests/UserLoginTest.php +++ b/core/modules/user/src/Tests/UserLoginTest.php @@ -19,6 +19,20 @@ class UserLoginTest extends WebTestBase { /** + * Drupal password hasher service. + * + * @var \Drupal\Core\Password\PasswordInterface + */ + private $passwordHasher; + + /** + * Drupal 7 password hasher service. + * + * @var \Drupal\Core\Password\PasswordInterface + */ + private $drupal7PasswordHasher; + + /** * Tests login with destination. */ function testLoginCacheTagsAndDestination() { @@ -32,6 +46,9 @@ function testLoginCacheTagsAndDestination() { $edit = array('name' => $user->getUserName(), 'pass' => $user->pass_raw); $this->drupalPostForm(NULL, $edit, t('Log in')); $this->assertUrl('foo', [], 'Redirected to the correct URL'); + + $this->passwordHasher = $this->container->get('password'); + $this->drupal7PasswordHasher = $this->container->get('drupal7_password'); } /** @@ -115,9 +132,6 @@ function testPerUserLoginFloodControl() { * Test that user password is re-hashed upon login after changing the cost. */ function testPasswordRehashOnLogin() { - /** @var \Drupal\Core\Password\Password $password_hasher */ - $password_hasher = $this->container->get('password'); - // Create a new user and authenticate. $account = $this->drupalCreateUser(array()); $password = $account->pass_raw; @@ -125,7 +139,7 @@ function testPasswordRehashOnLogin() { $this->drupalLogout(); // Load the stored user. The password hash should reflect $default_cost. $account = user_load($account->id()); - $this->assertTrue($password_hasher->check($password, $account)); + $this->assertTrue($this->passwordHasher->check($password, $account)); // Change the required cost by loading a test-module containing the // necessary container builder code and then verify that the users password @@ -137,50 +151,46 @@ function testPasswordRehashOnLogin() { $this->drupalLogin($account); // Load the stored user, which should have a different password hash now. $account = user_load($account->id(), TRUE); - $password_hasher = $this->container->get('password'); - $this->assertTrue($password_hasher->check($password, $account)); + //$password_hasher = $this->container->get('password'); + $this->assertTrue($this->passwordHasher->check($password, $account)); } /** - * Test MD5 (Drupal 6) and Drupal 7 passwords rehashing. + * Test MD5 (Drupal 6) passwords rehashing. */ - public function testMigratedPasswordRehashing() { - /** @var \Drupal\Core\Password\PasswordInterface $d7_hasher */ - $d7_hasher = $this->container->get('drupal7_password'); - /** @var \Drupal\Core\Password\PasswordInterface $hasher */ - $hasher = $this->container->get('password'); - - // Drupal 6 migrated password. - + public function testDrupal6MigratedPasswordRehashing() { $account = $this->drupalCreateUser(); $plain = $account->pass_raw; // We pretend that the user was migrated from Drupal 6. $md5_pass = md5($plain); - $migrated_pass = 'U' . $hasher->hash($md5_pass); + $migrated_pass = 'U' . $this->passwordHasher->hash($md5_pass); $this->storeHashedPassword($account, $migrated_pass); $this->drupalLogin($account); $this->drupalLogout(); // After logging is the user password has been rehashed and is valid. - $this->assertTrue($hasher->check($plain, $account)); - - // Drupal 7 migrated password. + $this->assertTrue($this->passwordHasher->check($plain, $account)); + } - $account2 = $this->drupalCreateUser(); - $plain = $account2->pass_raw; + /** + * Test Drupal 7 passwords rehashing. + */ + public function testDrupal7MigratedPasswordRehashing() { + $account = $this->drupalCreateUser(); + $plain = $account->pass_raw; // We pretend that the user was migrated from Drupal 7. - $d7_pass = $d7_hasher->hash($plain); + $d7_pass = $this->drupal7PasswordHasher->hash($plain); $salt = substr($d7_pass, 0, 12); - $migrated_pass = 'D7' . $salt . $hasher->hash($d7_pass); - $this->storeHashedPassword($account2, $migrated_pass); - $this->drupalLogin($account2); + $migrated_pass = 'D7' . $salt . $this->passwordHasher->hash($d7_pass); + $this->storeHashedPassword($account, $migrated_pass); + $this->drupalLogin($account); $this->drupalLogout(); // After logging is the user password has been rehashed and is valid. - $this->assertTrue($hasher->check($plain, $account2)); + $this->assertTrue($this->passwordHasher->check($plain, $account)); } /** @@ -214,8 +224,9 @@ function assertFailedLogin($account, $flood_trigger = NULL) { } /** - * Updates the hashed user password bypassing the API. We want to set an - * already hashed password. + * Updates the hashed user password bypassing the API. + * + * We want to set an already hashed password. * * @param \Drupal\user\UserInterface $account * The user account.