8000 [Security] PasswordMigratingListener fails if UserInterface::getPassword returns null · Issue #41005 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security] PasswordMigratingListener fails if UserInterface::getPassword returns null #41005

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tjveldhuizen opened this issue Apr 30, 2021 · 1 comment
Closed

[Security] PasswordMigratingListener fails if UserInterface::getPassword returns null #41005

tjveldhuizen opened this issue Apr 30, 2021 · 1 comment
Labels
Bug Security Status: Needs Review

Comments

@tjveldhuizen
Copy link
Contributor

Symfony version(s) affected: 5.2.x

Description
UserInterface::getPassword() is allowed to return a null value. In case it does, PasswordMigratingListener::onLoginSuccess calling PasswordEncoderInterface::needsRehash fails because that does not allow null input:

Argument 1 passed to Symfony\Component\Security\Core\Encoder\MigratingPasswordEncoder::needsRehash() must be of the type string, null given, called in (...)/vendor/symfony/security-http/EventListener/PasswordMigratingListener.php on line 54

How to reproduce
Maybe trivial: create a standard authentication setup using a custom User class, which returns null in the getPassword() method. When logging in, the mentioned exception occurs.
@nicolas-grekas
Copy link
Member

Would you mind sending a PR to fix this please?

@tjveldhuizen tjveldhuizen mentioned this issue Apr 30, 2021
Merged
@fabpot fabpot closed this as completed May 1, 2021
fabpot added a commit that referenced this issue May 1, 2021
@fabpot
bug #41008 [Security] Do not try to rehash null-passwords (tjveldhuizen)
56b664e 
This PR was merged into the 5.2 branch.

Discussion
----------

[Security] Do not try to rehash null-passwords

| Q             | A
| ------------- | ---
| Branch?       | 5.2
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #41005
| License       | MIT
| Doc PR        | -

Make sure no exception occurs when a passwordless user logs in.

Commits
-------

a2a944e [Security] Do not try to rehash null-passwords
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fabpot @nicolas-grekas @tjveldhuizen @carsonbot
0