From 4d920f04d0b2d9cd55fb1ff6201f4c67cc72337f Mon Sep 17 00:00:00 2001
From: Stefan Kruppa <stefan.kruppa@reservix.de>
Date: Tue, 28 Jan 2020 14:44:57 +0100
Subject: [PATCH] Fail on empty password verification (without warning on any
 implementation)

---
 .../Component/Security/Core/Encoder/NativePasswordEncoder.php  | 3 +++
 .../Component/Security/Core/Encoder/SodiumPasswordEncoder.php  | 3 +++
 .../Security/Core/Tests/Encoder/NativePasswordEncoderTest.php  | 1 +
 .../Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php  | 1 +
 4 files changed, 8 insertions(+)

diff --git a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
index 3b158a72f4dd..cbfe4c0a0803 100644
--- a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
+++ b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
@@ -76,6 +76,9 @@ public function encodePassword($raw, $salt): string
      */
     public function isPasswordValid($encoded, $raw, $salt): bool
     {
+        if ('' === $raw) {
+            return false;
+        }
         if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {
             return false;
         }
diff --git a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
index 39f41dd99057..5391361af37f 100644
--- a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
+++ b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
@@ -76,6 +76,9 @@ public function encodePassword($raw, $salt): string
      */
     public function isPasswordValid($encoded, $raw, $salt): bool
     {
+        if ('' === $raw) {
+            return false;
+        }
         if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {
             return false;
         }
diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php
index 965bf3751c7e..47b8ac09eaa6 100644
--- a/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php
+++ b/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php
@@ -53,6 +53,7 @@ public function testValidation()
         $result = $encoder->encodePassword('password', null);
         $this->assertTrue($encoder->isPasswordValid($result, 'password', null));
         $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
+        $this->assertFalse($encoder->isPasswordValid($result, '', null));
     }
 
     public function testNonArgonValidation()
diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php
index 8fa0813115e1..2c4527fef7cf 100644
--- a/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php
+++ b/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php
@@ -29,6 +29,7 @@ public function testValidation()
         $result = $encoder->encodePassword('password', null);
         $this->assertTrue($encoder->isPasswordValid($result, 'password', null));
         $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
+        $this->assertFalse($encoder->isPasswordValid($result, '', null));
     }
 
     public function testBCryptValidation()