[Security] limited the password length passed to encodersv2.2.9

1 files changed, 12 insertions, 0 deletions

diff --git a/Core/Encoder/BasePasswordEncoder.php b/Core/Encoder/BasePasswordEncoder.php
index c26c9ce..b83eb30 100644
--- a/Core/Encoder/BasePasswordEncoder.php
+++ b/Core/Encoder/BasePasswordEncoder.php
@@ -20,6 +20,8 @@ use Symfony\Component\Security\Core\Util\StringUtils;
  */
 abstract class BasePasswordEncoder implements PasswordEncoderInterface
 {
+    const MAX_PASSWORD_LENGTH = 4096;
+
     /**
      * Demerges a merge password and salt string.
      *
@@ -83,4 +85,14 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface
     {
         return StringUtils::equals($password1, $password2);
     }
+
+    /**
+     * Checks if the password is too long.
+     *
+     * @return Boolean true if the password is too long, false otherwise
+     */
+    protected function isPasswordTooLong($password)
+    {
+        return strlen($password) > self::MAX_PASSWORD_LENGTH;
+    }
 }