diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug #34779 [Security] do not validate passwords when the hash is null (xabbuh)

Browse Source 
This PR was merged into the 3.4 branch.

Discussion
----------

[Security] do not validate passwords when the hash is null

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #34775
| License       | MIT
| Doc PR        |

Commits
-------

5699cb22bb do not validate passwords when the hash is null
This commit is contained in:
Robin Chalas 2019-12-03 21:49:28 +01:00
commit cb429cd762
4 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php
View File

@ -61,7 +61,7 @@ class DaoAuthenticationProvider extends UserAuthenticationProvider
throw new BadCredentialsException('The presented password cannot be empty.');
}
if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
if (null === $user->getPassword() || !$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
throw new BadCredentialsException('The presented password is invalid.');
}
}

4
src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php
View File

@ -42,6 +42,10 @@ class UserPasswordEncoder implements UserPasswordEncoderInterface
*/
public function isPasswordValid(UserInterface $user, $raw)
{
if (null === $user->getPassword()) {
return false;
}
$encoder = $this->encoderFactory->getEncoder($user);
return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());

7
src/Symfony/Component/Security/Core/Tests/Authentication/Provider/DaoAuthenticationProviderTest.php
View File

@ -15,6 +15,7 @@ use PHPUnit\Framework\TestCase;
use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
use Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\User;
class DaoAuthenticationProviderTest extends TestCase
{
@ -151,7 +152,7 @@ class DaoAuthenticationProviderTest extends TestCase
$method->invoke(
$provider,
$this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(),
new User('username', 'password'),
$token
);
}
@ -175,7 +176,7 @@ class DaoAuthenticationProviderTest extends TestCase
->willReturn('foo')
;
$method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
$method->invoke($provider, new User('username', 'password'), $token);
}
public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()
@ -247,7 +248,7 @@ class DaoAuthenticationProviderTest extends TestCase
->willReturn('foo')
;
$method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
$method->invoke($provider, new User('username', 'password'), $token);
}
protected function getSupportedToken()

2
src/Symfony/Component/Security/Core/Validator/Constraints/UserPasswordValidator.php
View File

@ -53,7 +53,7 @@ class UserPasswordValidator extends ConstraintValidator
$encoder = $this->encoderFactory->getEncoder($user);
if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
if (null === $user->getPassword() || !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
$this->context->addViolation($constraint->message);
}
}