From 52c0efba75bcae89a8d758f9fd902d6f66e0c290 Mon Sep 17 00:00:00 2001
From: Vladimir Kolesnikov <vladimir@free-sevastopol.com>
Date: Fri, 20 Sep 2013 19:32:40 +0300
Subject: [PATCH 1/2] Ability to restrict the maximum password length for
 Phalcon\Security::checkHash

---
 ext/security.c | 24 ++++++++++++++++++++----
 ext/security.h |  1 +
 2 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/ext/security.c b/ext/security.c
index b8cc4e69ef1..26e80d35c98 100644
--- a/ext/security.c
+++ b/ext/security.c
@@ -260,16 +260,32 @@ PHP_METHOD(Phalcon_Security, hash){
  *
  * @param string $password
  * @param string $passwordHash
+ * @param int $maxPasswordLength
  * @return boolean
  */
 PHP_METHOD(Phalcon_Security, checkHash){
 
-	zval *password, *password_hash, *hash;
+	zval *password, *password_hash, *hash, *max_pass_length = NULL;
 
-	PHALCON_MM_GROW();
-
-	phalcon_fetch_params(1, 2, 0, &password, &password_hash);
+	phalcon_fetch_params(0, 2, 1, &password, &password_hash, &max_pass_length);
 	
+	if (Z_TYPE_P(password) != IS_STRING) {
+		PHALCON_SEPARATE_PARAM_NMO(password);
+		convert_to_string(password);
+	}
+
+	if (max_pass_length) {
+		if (Z_TYPE_P(max_pass_length) != IS_LONG) {
+			PHALCON_SEPARATE_PARAM_NMO(max_pass_length);
+			convert_to_long(max_pass_length);
+		}
+
+		if (Z_LVAL_P(max_pass_length) > 0 && Z_STRLEN_P(password) > Z_LVAL_P(max_pass_length)) {
+			RETURN_FALSE;
+		}
+	}
+
+	PHALCON_MM_GROW();
 	PHALCON_INIT_VAR(hash);
 	phalcon_call_func_p2(hash, "crypt", password, password_hash);
 	is_equal_function(return_value, hash, password_hash TSRMLS_CC);
diff --git a/ext/security.h b/ext/security.h
index 44f9e26412d..c33afab6901 100644
--- a/ext/security.h
+++ b/ext/security.h
@@ -56,6 +56,7 @@ ZEND_END_ARG_INFO()
 ZEND_BEGIN_ARG_INFO_EX(arginfo_phalcon_security_checkhash, 0, 0, 2)
 	ZEND_ARG_INFO(0, password)
 	ZEND_ARG_INFO(0, passwordHash)
+	ZEND_ARG_INFO(0, maxPasswordLength)
 ZEND_END_ARG_INFO()
 
 ZEND_BEGIN_ARG_INFO_EX(arginfo_phalcon_security_islegacyhash, 0, 0, 1)

From 8fd185c586fa2f4873a8694ad67591b031ca3f32 Mon Sep 17 00:00:00 2001
From: Vladimir Kolesnikov <vladimir@free-sevastopol.com>
Date: Fri, 20 Sep 2013 19:45:23 +0300
Subject: [PATCH 2/2] Regression test

---
 ext/tests/issue-1261.phpt | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 ext/tests/issue-1261.phpt

diff --git a/ext/tests/issue-1261.phpt b/ext/tests/issue-1261.phpt
new file mode 100644
index 00000000000..eb0a41034f6
--- /dev/null
+++ b/ext/tests/issue-1261.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Ability to restrict the maximum password length for Phalcon\Security::checkHash() - https://github.com/phalcon/cphalcon/pull/1261
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+$s = new \Phalcon\Security();
+$hash = $s->hash('password', 10);
+echo var_export((bool)$s->checkHash('password', $hash), 0), PHP_EOL;
+echo var_export((bool)$s->checkHash('password', $hash, 0), 0), PHP_EOL;
+echo var_export((bool)$s->checkHash('password', $hash, 8), 0), PHP_EOL;
+echo var_export((bool)$s->checkHash('password', $hash, 7), 0), PHP_EOL;
+?>
+--EXPECT--
+true
+true
+true
+false