@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Guarantee terms in PhabricatorAuthPasswordEngine are strings
Summary:
Ref T2312. Numeric strings are read out of arrays as integers, and modern PHP raises appropriate warnings when they're then treated as strings.
For now, cast the keys to strings explicitly (we know we inserted only strings). In the future, introduction of a `StringMap` type or similar might be appropriate.
Test Plan:
- Added "abc.12345.xyz" to the blocklist, changed my VCS password.
- Before: fatal when trying to "strpos()" an integer.
- After: password change worked correctly.
Maniphest Tasks: T2312
Differential Revision: https://secure.phabricator.com/D21487
+6
+6
src/applications/auth/engine/PhabricatorAuthPasswordEngine.php
+6
src/applications/auth/engine/PhabricatorAuthPasswordEngine.php
···
181
181
$normal_password = phutil_utf8_strtolower($raw_password);
182
182
if (strlen($normal_password) >= $minimum_similarity) {
183
183
foreach ($normal_map as $term => $source) {
184
+
185
+
// See T2312. This may be required if the term list includes numeric
186
+
// strings like "12345", which will be cast to integers when used as
187
+
// array keys.
188
+
$term = phutil_string_cast($term);
189
+
184
190
if (strpos($term, $normal_password) === false &&
185
191
strpos($normal_password, $term) === false) {
186
192
continue;