bug #34779 [Security] do not validate passwords when the hash is null (xabbuh)
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] do not validate passwords when the hash is null
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix #34775
| License | MIT
| Doc PR |
Commits
-------
5699cb22bb
do not validate passwords when the hash is null
This commit is contained in:
commit
cb429cd762
@ -61,7 +61,7 @@ class DaoAuthenticationProvider extends UserAuthenticationProvider
|
||||
throw new BadCredentialsException('The presented password cannot be empty.');
|
||||
}
|
||||
|
||||
if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
|
||||
if (null === $user->getPassword() || !$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
|
||||
throw new BadCredentialsException('The presented password is invalid.');
|
||||
}
|
||||
}
|
||||
|
@ -42,6 +42,10 @@ class UserPasswordEncoder implements UserPasswordEncoderInterface
|
||||
*/
|
||||
public function isPasswordValid(UserInterface $user, $raw)
|
||||
{
|
||||
if (null === $user->getPassword()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$encoder = $this->encoderFactory->getEncoder($user);
|
||||
|
||||
return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());
|
||||
|
@ -15,6 +15,7 @@ use PHPUnit\Framework\TestCase;
|
||||
use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
|
||||
use Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder;
|
||||
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
|
||||
use Symfony\Component\Security\Core\User\User;
|
||||
|
||||
class DaoAuthenticationProviderTest extends TestCase
|
||||
{
|
||||
@ -151,7 +152,7 @@ class DaoAuthenticationProviderTest extends TestCase
|
||||
|
||||
$method->invoke(
|
||||
$provider,
|
||||
$this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(),
|
||||
new User('username', 'password'),
|
||||
$token
|
||||
);
|
||||
}
|
||||
@ -175,7 +176,7 @@ class DaoAuthenticationProviderTest extends TestCase
|
||||
->willReturn('foo')
|
||||
;
|
||||
|
||||
$method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
|
||||
$method->invoke($provider, new User('username', 'password'), $token);
|
||||
}
|
||||
|
||||
public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()
|
||||
@ -247,7 +248,7 @@ class DaoAuthenticationProviderTest extends TestCase
|
||||
->willReturn('foo')
|
||||
;
|
||||
|
||||
$method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
|
||||
$method->invoke($provider, new User('username', 'password'), $token);
|
||||
}
|
||||
|
||||
protected function getSupportedToken()
|
||||
|
@ -53,7 +53,7 @@ class UserPasswordValidator extends ConstraintValidator
|
||||
|
||||
$encoder = $this->encoderFactory->getEncoder($user);
|
||||
|
||||
if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
|
||||
if (null === $user->getPassword() || !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
|
||||
$this->context->addViolation($constraint->message);
|
||||
}
|
||||
}
|
||||
|
Reference in New Issue
Block a user