8000 bug #35497 Fail on empty password verification (without warning on an… · symfony/symfony@72f9e98 · GitHub
[go: up one dir, main page]
Skip to content

Commit 72f9e98

Browse files
fabpotfabpot
committed
bug #35497 Fail on empty password verification (without warning on any implementation) (Stefan Kruppa)
This PR was submitted for the 4.3 branch but it was merged into the 4.4 branch instead (closes #35497). Discussion ---------- Fail on empty password verification (without warning on any implementation) | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | sort of | New feature? | no | Deprecations? | no | Tickets | | License | MIT | Doc PR | When using the sodium extension, an empty $raw string will issue a warning during validation, but the standard `password_verify()` does not. This PR aims to provide identical behavior independent of the underlying implementation. Two assumptions were made (please doublecheck if they are correct): - Empty password is never valid. - Empty password is not that severe that anybody needs to be informed using a warning or exception. Commits ------- 4d920f0 Fail on empty password verification (without warning on any implementation)
2 parents ed7bb82 + 4d920f0 commit 72f9e98

File tree

4 files changed

+8
-0
lines changed

4 files changed

+8
-0
lines changed

src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,9 @@ public function encodePassword($raw, $salt): string
7676
*/
7777
public function isPasswordValid($encoded, $raw, $salt): bool
7878
{
79+
if ('' === $raw) {
80+
return false;
81+
}
7982
if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {
8083
return false;
8184
}

src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,9 @@ public function encodePassword($raw, $salt): string
7676
*/
7777
public function isPasswordValid($encoded, $raw, $salt): bool
7878
{
79+
if ('' === $raw) {
80+
return false;
81+
}
7982
if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {
8083
return false;
8184
}

src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,7 @@ public function testValidation()
5353
$result = $encoder->encodePassword('password', null);
5454
$this->assertTrue($encoder->isPasswordValid($result, 'password', null));
5555
$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
56+
$this->assertFalse($encoder->isPasswordValid($result, '', null));
5657
}
5758

5859
public function testNonArgonValidation()

src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ public function testValidation()
2929
$result = $encoder->encodePassword('password', null);
3030
$this->assertTrue($encoder->isPasswordValid($result, 'password', null));
3131
$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
32+
$this->assertFalse($encoder->isPasswordValid($result, '', null));
3233
}
3334

3435
public function testBCryptValidation()

0 commit comments

Comments
 (0)
0