mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-10 23:01:04 +01:00
Guarantee terms in PhabricatorAuthPasswordEngine are strings
Summary: Ref T2312. Numeric strings are read out of arrays as integers, and modern PHP raises appropriate warnings when they're then treated as strings. For now, cast the keys to strings explicitly (we know we inserted only strings). In the future, introduction of a `StringMap` type or similar might be appropriate. Test Plan: - Added "abc.12345.xyz" to the blocklist, changed my VCS password. - Before: fatal when trying to "strpos()" an integer. - After: password change worked correctly. Maniphest Tasks: T2312 Differential Revision: https://secure.phabricator.com/D21487
This commit is contained in:
parent
c04147328f
commit
ae5a38f334
1 changed files with 6 additions and 0 deletions
|
@ -181,6 +181,12 @@ final class PhabricatorAuthPasswordEngine
|
|||
$normal_password = phutil_utf8_strtolower($raw_password);
|
||||
if (strlen($normal_password) >= $minimum_similarity) {
|
||||
foreach ($normal_map as $term => $source) {
|
||||
|
||||
// See T2312. This may be required if the term list includes numeric
|
||||
// strings like "12345", which will be cast to integers when used as
|
||||
// array keys.
|
||||
$term = phutil_string_cast($term);
|
||||
|
||||
if (strpos($term, $normal_password) === false &&
|
||||
strpos($normal_password, $term) === false) {
|
||||
continue;
|
||||
|
|
Loading…
Reference in a new issue