bug #34779 [Security] do not validate passwords when the hash is null (xabbuh)
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] do not validate passwords when the hash is null
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix #34775
| License | MIT
| Doc PR |
Commits
-------
5699cb22bb
do not validate passwords when the hash is null
This commit is contained in:
commit
cb429cd762
@ -61,7 +61,7 @@ class DaoAuthenticationProvider extends UserAuthenticationProvider
|
|||||||
throw new BadCredentialsException('The presented password cannot be empty.');
|
throw new BadCredentialsException('The presented password cannot be empty.');
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
|
if (null === $user->getPassword() || !$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
|
||||||
throw new BadCredentialsException('The presented password is invalid.');
|
throw new BadCredentialsException('The presented password is invalid.');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -42,6 +42,10 @@ class UserPasswordEncoder implements UserPasswordEncoderInterface
|
|||||||
*/
|
*/
|
||||||
public function isPasswordValid(UserInterface $user, $raw)
|
public function isPasswordValid(UserInterface $user, $raw)
|
||||||
{
|
{
|
||||||
|
if (null === $user->getPassword()) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
$encoder = $this->encoderFactory->getEncoder($user);
|
$encoder = $this->encoderFactory->getEncoder($user);
|
||||||
|
|
||||||
return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());
|
return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());
|
||||||
|
@ -15,6 +15,7 @@ use PHPUnit\Framework\TestCase;
|
|||||||
use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
|
use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
|
||||||
use Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder;
|
use Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder;
|
||||||
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
|
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
|
||||||
|
use Symfony\Component\Security\Core\User\User;
|
||||||
|
|
||||||
class DaoAuthenticationProviderTest extends TestCase
|
class DaoAuthenticationProviderTest extends TestCase
|
||||||
{
|
{
|
||||||
@ -151,7 +152,7 @@ class DaoAuthenticationProviderTest extends TestCase
|
|||||||
|
|
||||||
$method->invoke(
|
$method->invoke(
|
||||||
$provider,
|
$provider,
|
||||||
$this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(),
|
new User('username', 'password'),
|
||||||
$token
|
$token
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
@ -175,7 +176,7 @@ class DaoAuthenticationProviderTest extends TestCase
|
|||||||
->willReturn('foo')
|
->willReturn('foo')
|
||||||
;
|
;
|
||||||
|
|
||||||
$method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
|
$method->invoke($provider, new User('username', 'password'), $token);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()
|
public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()
|
||||||
@ -247,7 +248,7 @@ class DaoAuthenticationProviderTest extends TestCase
|
|||||||
->willReturn('foo')
|
->willReturn('foo')
|
||||||
;
|
;
|
||||||
|
|
||||||
$method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
|
$method->invoke($provider, new User('username', 'password'), $token);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function getSupportedToken()
|
protected function getSupportedToken()
|
||||||
|
@ -53,7 +53,7 @@ class UserPasswordValidator extends ConstraintValidator
|
|||||||
|
|
||||||
$encoder = $this->encoderFactory->getEncoder($user);
|
$encoder = $this->encoderFactory->getEncoder($user);
|
||||||
|
|
||||||
if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
|
if (null === $user->getPassword() || !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
|
||||||
$this->context->addViolation($constraint->message);
|
$this->context->addViolation($constraint->message);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Reference in New Issue
Block a user