[Security] validate empty passwords again #23507
Conversation
|
But this can cause a warning in sf2.8+ and break your app if you provide an empty string. If this needs to work as previously, why not simply change this to: if (null === $password || '' === $password) {
// add violation that the password cannot be empty
return;
}That way there is no exception and no security issue. |
WAT 😐 this means that when you provide an empty string it's considered valid, which is not the case at all. When you use this constraint you want to check if the provided password matches the current one. Leaving this empty means the user is bypassing security! If you want to make this optional use validation-groups. |
|
@sstok I am not sure we both understand each other, but my proposition is to automatically put a constraint violation if the password is empty. In newer implementations of the password checker, a EDIT To clarify - initially the PR simply removed the |
|
Thank you @xabbuh. |
This PR was merged into the 2.7 branch. Discussion ---------- [Security] validate empty passwords again | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #23341 (comment) | License | MIT | Doc PR | It looks like this part of #23341 causes serious security issues for some users who rely on the validator to also compare the empty string with their user's password (see for example #23341 (comment)). Th 8000 us I suggest to revert this part of #23341. Commits ------- 878198c [Security] validate empty passwords again
|
In theory, wasn't an empty password |
|
@Tobion I agree this is a BC break, but for security reasons this is more logical. |
It looks like this part of #23341 causes serious security issues for some users who rely on the validator to also compare the empty string with their user's password (see for example #23341 (comment)). Thus I suggest to revert this part of #23341.