bug #35497 Fail on empty password verification (without warning on an…

…y implementation) (Stefan Kruppa) This PR was submitted for the 4.3 branch but it was merged into the 4.4 branch instead (closes #35497). Discussion ---------- Fail on empty password verification (without warning on any implementation) | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | sort of | New feature? | no | Deprecations? | no | Tickets | | License | MIT | Doc PR | When using the sodium extension, an empty $raw string will issue a warning during validation, but the standard `password_verify()` does not. This PR aims to provide identical behavior independent of the underlying implementation. Two assumptions were made (please doublecheck if they are correct): - Empty password is never valid. - Empty password is not that severe that anybody needs to be informed using a warning or exception. Commits ------- 4d920f0 Fail on empty password verification (without warning on any implementation)
symfony · Feb 3, 2020 · 72f9e98 · 72f9e98
2 parents ed7bb82 + 4d920f0
commit 72f9e98
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 0 deletions.
diff --git a/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/NativePasswordEncoder.php
@@ -76,6 +76,9 @@ public function encodePassword($raw, $salt): string
      */
     public function isPasswordValid($encoded, $raw, $salt): bool
     {
+        if ('' === $raw) {
+            return false;
+        }
         if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {
             return false;
         }

diff --git a/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
@@ -76,6 +76,9 @@ public function encodePassword($raw, $salt): string
      */
     public function isPasswordValid($encoded, $raw, $salt): bool
     {
+        if ('' === $raw) {
+            return false;
+        }
         if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {
             return false;
         }

diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/NativePasswordEncoderTest.php
@@ -53,6 +53,7 @@ public function testValidation()
         $result = $encoder->encodePassword('password', null);
         $this->assertTrue($encoder->isPasswordValid($result, 'password', null));
         $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
+        $this->assertFalse($encoder->isPasswordValid($result, '', null));
     }
 
     public function testNonArgonValidation()

diff --git a/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php b/src/Symfony/Component/Security/Core/Tests/Encoder/SodiumPasswordEncoderTest.php
@@ -29,6 +29,7 @@ public function testValidation()
         $result = $encoder->encodePassword('password', null);
         $this->assertTrue($encoder->isPasswordValid($result, 'password', null));
         $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
+        $this->assertFalse($encoder->isPasswordValid($result, '', null));
     }
 
     public function testBCryptValidation()