diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

do not validate passwords when the hash is null

Browse Source
This commit is contained in:
Christian Flothmann 2019-12-03 13:13:07 +01:00
parent 3b42ca9ae0
commit 5699cb22bb
4 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php
View File

@ -61,7 +61,7 @@ class DaoAuthenticationProvider extends UserAuthenticationProvider
throw new BadCredentialsException('The presented password cannot be empty.');
}
if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
if (null === $user->getPassword() || !$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
throw new BadCredentialsException('The presented password is invalid.');
}
}

4
src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php
View File

@ -42,6 +42,10 @@ class UserPasswordEncoder implements UserPasswordEncoderInterface
*/
public function isPasswordValid(UserInterface $user, $raw)
{
if (null === $user->getPassword()) {
return false;
}
$encoder = $this->encoderFactory->getEncoder($user);
return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());

7
src/Symfony/Component/Security/Core/Tests/Authentication/Provider/DaoAuthenticationProviderTest.php
View File

@ -15,6 +15,7 @@ use PHPUnit\Framework\TestCase;
use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
use Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\User;
class DaoAuthenticationProviderTest extends TestCase
{
@ -151,7 +152,7 @@ class DaoAuthenticationProviderTest extends TestCase
$method->invoke(
$provider,
$this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(),
new User('username', 'password'),
$token
);
}
@ -175,7 +176,7 @@ class DaoAuthenticationProviderTest extends TestCase
->willReturn('foo')
;
$method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
$method->invoke($provider, new User('username', 'password'), $token);
}
public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()
@ -247,7 +248,7 @@ class DaoAuthenticationProviderTest extends TestCase
->willReturn('foo')
;
$method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
$method->invoke($provider, new User('username', 'password'), $token);
}
protected function getSupportedToken()

2
src/Symfony/Component/Security/Core/Validator/Constraints/UserPasswordValidator.php
View File

@ -53,7 +53,7 @@ class UserPasswordValidator extends ConstraintValidator
$encoder = $this->encoderFactory->getEncoder($user);
if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
if (null === $user->getPassword() || !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
$this->context->addViolation($constraint->message);
}
}