5 files changed, 26 insertions, 0 deletions

diff --git a/Core/Encoder/BCryptPasswordEncoder.php b/Core/Encoder/BCryptPasswordEncoder.php
index a355421..f96bb4f 100644
--- a/Core/Encoder/BCryptPasswordEncoder.php
+++ b/Core/Encoder/BCryptPasswordEncoder.php
@@ -64,6 +64,8 @@ class BCryptPasswordEncoder extends BasePasswordEncoder
      */
     public function encodePassword($raw, $salt)
     {
+        $this->checkPasswordLength($raw);
+
         $options = array('cost' => $this->cost);
 
         if ($salt) {
@@ -78,6 +80,8 @@ class BCryptPasswordEncoder extends BasePasswordEncoder
      */
     public function isPasswordValid($encoded, $raw, $salt)
     {
+        $this->checkPasswordLength($raw);
+
         return password_verify($raw, $encoded);
     }
 }
diff --git a/Core/Encoder/BasePasswordEncoder.php b/Core/Encoder/BasePasswordEncoder.php
index c26c9ce..b7e52bb 100644
--- a/Core/Encoder/BasePasswordEncoder.php
+++ b/Core/Encoder/BasePasswordEncoder.php
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Core\Encoder;
 
 use Symfony\Component\Security\Core\Util\StringUtils;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 
 /**
  * BasePasswordEncoder is the base class for all password encoders.
@@ -20,6 +21,8 @@ use Symfony\Component\Security\Core\Util\StringUtils;
  */
 abstract class BasePasswordEncoder implements PasswordEncoderInterface
 {
+    const MAX_PASSWORD_LENGTH = 4096;
+
     /**
      * Demerges a merge password and salt string.
      *
@@ -83,4 +86,11 @@ abstract class BasePasswordEncoder implements PasswordEncoderInterface
     {
         return StringUtils::equals($password1, $password2);
     }
+
+    protected function checkPasswordLength($password)
+    {
+        if (strlen($password) > self::MAX_PASSWORD_LENGTH) {
+            throw new BadCredentialsException('Invalid password.');
+        }
+    }
 }
diff --git a/Core/Encoder/MessageDigestPasswordEncoder.php b/Core/Encoder/MessageDigestPasswordEncoder.php
index a8bd553..efe1e5c 100644
--- a/Core/Encoder/MessageDigestPasswordEncoder.php
+++ b/Core/Encoder/MessageDigestPasswordEncoder.php
@@ -41,6 +41,8 @@ class MessageDigestPasswordEncoder extends BasePasswordEncoder
      */
     public function encodePassword($raw, $salt)
     {
+        $this->checkPasswordLength($raw);
+
         if (!in_array($this->algorithm, hash_algos(), true)) {
             throw new \LogicException(sprintf('The algorithm "%s" is not supported.', $this->algorithm));
         }
@@ -61,6 +63,8 @@ class MessageDigestPasswordEncoder extends BasePasswordEncoder
      */
     public function isPasswordValid($encoded, $raw, $salt)
     {
+        $this->checkPasswordLength($raw);
+
         return $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
     }
 }
diff --git a/Core/Encoder/Pbkdf2PasswordEncoder.php b/Core/Encoder/Pbkdf2PasswordEncoder.php
index 4f37ba3..a4b5c3b 100644
--- a/Core/Encoder/Pbkdf2PasswordEncoder.php
+++ b/Core/Encoder/Pbkdf2PasswordEncoder.php
@@ -54,6 +54,8 @@ class Pbkdf2PasswordEncoder extends BasePasswordEncoder
      */
     public function encodePassword($raw, $salt)
     {
+        $this->checkPasswordLength($raw);
+
         if (!in_array($this->algorithm, hash_algos(), true)) {
             throw new \LogicException(sprintf('The algorithm "%s" is not supported.', $this->algorithm));
         }
@@ -72,6 +74,8 @@ class Pbkdf2PasswordEncoder extends BasePasswordEncoder
      */
     public function isPasswordValid($encoded, $raw, $salt)
     {
+        $this->checkPasswordLength($raw);
+
         return $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
     }
 
diff --git a/Core/Encoder/PlaintextPasswordEncoder.php b/Core/Encoder/PlaintextPasswordEncoder.php
index c21f3cd..55aad18 100644
--- a/Core/Encoder/PlaintextPasswordEncoder.php
+++ b/Core/Encoder/PlaintextPasswordEncoder.php
@@ -35,6 +35,8 @@ class PlaintextPasswordEncoder extends BasePasswordEncoder
      */
     public function encodePassword($raw, $salt)
     {
+        $this->checkPasswordLength($raw);
+
         return $this->mergePasswordAndSalt($raw, $salt);
     }
 
@@ -43,6 +45,8 @@ class PlaintextPasswordEncoder extends BasePasswordEncoder
      */
     public function isPasswordValid($encoded, $raw, $salt)
     {
+        $this->checkPasswordLength($raw);
+
         $pass2 = $this->mergePasswordAndSalt($raw, $salt);
 
         if (!$this->ignorePasswordCase) {