do not validate passwords when the hash is null

xabbuh · xabbuh · commit c617e3370ae3 · 2019-12-03T16:46:24.000+01:00
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php
@@ -61,7 +61,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
                 throw new BadCredentialsException('The presented password cannot be empty.');
             }
 
-            if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
+            if (null === $user->getPassword() || !$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
                 throw new BadCredentialsException('The presented password is invalid.');
             }
         }
diff --git a/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php
@@ -42,6 +42,10 @@ public function encodePassword(UserInterface $user, $plainPassword)
      */
     public function isPasswordValid(UserInterface $user, $raw)
     {
+        if (null === $user->getPassword()) {
+            return false;
+        }
+
         $encoder = $this->encoderFactory->getEncoder($user);
 
         return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());
diff --git a/src/Symfony/Component/Security/Core/Validator/Constraints/UserPasswordValidator.php b/src/Symfony/Component/Security/Core/Validator/Constraints/UserPasswordValidator.php
@@ -53,7 +53,7 @@ public function validate($password, Constraint $constraint)
 
         $encoder = $this->encoderFactory->getEncoder($user);
 
-        if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
+        if (null === $user->getPassword() || !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
             $this->context->addViolation($constraint->message);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke`
`61`	`61`	`throw new BadCredentialsException('The presented password cannot be empty.');`
`62`	`62`	`}`
`63`	`63`
`64`		`- if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
	`64`	`+ if (null === $user->getPassword() \|\| !$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
`65`	`65`	`throw new BadCredentialsException('The presented password is invalid.');`
`66`	`66`	`}`
`67`	`67`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ public function validate($password, Constraint $constraint)`
`53`	`53`
`54`	`54`	`$encoder = $this->encoderFactory->getEncoder($user);`
`55`	`55`
`56`		`- if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {`
	`56`	`+ if (null === $user->getPassword() \|\| !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {`
`57`	`57`	`$this->context->addViolation($constraint->message);`
`58`	`58`	`}`
`59`	`59`	`}`