phangoapp/phamodels
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Little security fix for avoid ddos password attack if not using bcrypt encrypting

Browse source
This commit is contained in:
Antonio de la Rosa 2016-11-17 05:10:26 +01:00
parent dd0f330f5f
commit 86125bf06d
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/CoreFields/PasswordField.php
View file

@ -63,11 +63,15 @@ class PasswordField extends CharField {
$this->error=1; $this->error=1;
$this->std_error=I18n::lang('common', 'error_null_password', 'Bcrypt have problems using null characters...'); $this->std_error=I18n::lang('common', 'error_null_password', 'Password not valid');
return ''; return '';
} }
//Cut the password if is longer than 128 characters. If password_hash use a different password system to bcrypt (have a 72 character limit) is useful for stop ddos passwords attack.
$value=substr ($value, 0, 128);
$hash_password=password_hash($value, PASSWORD_DEFAULT); $hash_password=password_hash($value, PASSWORD_DEFAULT);