bug #41008 [Security] Do not try to rehash null-passwords (tjveldhuizen)

fabpot · fabpot · commit 56b664edf6c7 · 2021-05-01T07:29:52.000+02:00
This PR was merged into the 5.2 branch. Discussion ---------- [Security] Do not try to rehash null-passwords | Q | A | ------------- | --- | Branch? | 5.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #41005 | License | MIT | Doc PR | - Make sure no exception occurs when a passwordless user logs in. Commits ------- a2a944e [Security] Do not try to rehash null-passwords
diff --git a/src/Symfony/Component/Security/Http/EventListener/PasswordMigratingListener.php b/src/Symfony/Component/Security/Http/EventListener/PasswordMigratingListener.php
@@ -50,6 +50,10 @@ public function onLoginSuccess(LoginSuccessEvent $event): void
         }
 
         $user = $passport->getUser();
+        if (null === $user->getPassword()) {
+            return;
+        }
+
         $passwordEncoder = $this->encoderFactory->getEncoder($user);
         if (!$passwordEncoder->needsRehash($user->getPassword())) {
             return;
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/PasswordMigratingListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/PasswordMigratingListenerTest.php
@@ -108,6 +108,16 @@ public function testUpgradeWithoutUpgrader()
         $this->listener->onLoginSuccess($event);
     }
 
+    public function testUserWithoutPassword()
+    {
+        $this->user = new User('test', null);
+
+        $this->encoderFactory->expects($this->never())->method('getEncoder');
+
+        $event = $this->createEvent(new SelfValidatingPassport(new UserBadge('test', function () { return $this->user; }), [new PasswordUpgradeBadge('pa$$word')]));
+        $this->listener->onLoginSuccess($event);
+    }
+
     private function createPasswordUpgrader()
     {
         return $this->createMock(MigratingUserProvider::class);
