[Security] fixed usage of the salt for the bcrypt encoder (refs #8210)

1 files changed, 11 insertions, 1 deletions

diff --git a/Core/Encoder/BCryptPasswordEncoder.php b/Core/Encoder/BCryptPasswordEncoder.php
index 3609f64..a355421 100644
--- a/Core/Encoder/BCryptPasswordEncoder.php
+++ b/Core/Encoder/BCryptPasswordEncoder.php
@@ -53,14 +53,24 @@ class BCryptPasswordEncoder extends BasePasswordEncoder
      * the "$2y$" salt prefix (which is not available in the early PHP versions).
      * @see https://github.com/ircmaxell/password_compat/issues/10#issuecomment-11203833
      *
+     * It is almost best to **not** pass a salt and let PHP generate one for you.
+     *
      * @param string $raw  The password to encode
      * @param string $salt The salt
      *
      * @return string The encoded password
+     *
+     * @link http://lxr.php.net/xref/PHP_5_5/ext/standard/password.c#111
      */
     public function encodePassword($raw, $salt)
     {
-        return password_hash($raw, PASSWORD_BCRYPT, array('cost' => $this->cost));
+        $options = array('cost' => $this->cost);
+
+        if ($salt) {
+            $options['salt'] = $salt;
+        }
+
+        return password_hash($raw, PASSWORD_BCRYPT, $options);
     }
 
     /**