bug #34779 [Security] do not validate passwords when the hash is null (xabbuh)

Robin Chalas · Robin Chalas · commit cb429cd7624e · 2019-12-03T21:49:28.000+01:00
This PR was merged into the 3.4 branch. Discussion ---------- [Security] do not validate passwords when the hash is null | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #34775 | License | MIT | Doc PR | Commits ------- 5699cb2 do not validate passwords when the hash is null
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php
@@ -61,7 +61,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
                 throw new BadCredentialsException('The presented password cannot be empty.');
             }
 
-            if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
+            if (null === $user->getPassword() || !$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
                 throw new BadCredentialsException('The presented password is invalid.');
             }
         }
diff --git a/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php
@@ -42,6 +42,10 @@ public function encodePassword(UserInterface $user, $plainPassword)
      */
     public function isPasswordValid(UserInterface $user, $raw)
     {
+        if (null === $user->getPassword()) {
+            return false;
+        }
+
         $encoder = $this->encoderFactory->getEncoder($user);
 
         return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/DaoAuthenticationProviderTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/DaoAuthenticationProviderTest.php
@@ -15,6 +15,7 @@
 use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
 use Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\User;
 
 class DaoAuthenticationProviderTest extends TestCase
 {
@@ -151,7 +152,7 @@ public function testCheckAuthenticationWhenCredentialsAre0()
 
         $method->invoke(
             $provider,
-            $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(),
+            new User('username', 'password'),
             $token
         );
     }
@@ -175,7 +176,7 @@ public function testCheckAuthenticationWhenCredentialsAreNotValid()
               ->willReturn('foo')
         ;
 
-        $method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
+        $method->invoke($provider, new User('username', 'password'), $token);
     }
 
     public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()
@@ -247,7 +248,7 @@ public function testCheckAuthentication()
               ->willReturn('foo')
         ;
 
-        $method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
+        $method->invoke($provider, new User('username', 'password'), $token);
     }
 
     protected function getSupportedToken()
diff --git a/src/Symfony/Component/Security/Core/Validator/Constraints/UserPasswordValidator.php b/src/Symfony/Component/Security/Core/Validator/Constraints/UserPasswordValidator.php
@@ -53,7 +53,7 @@ public function validate($password, Constraint $constraint)
 
         $encoder = $this->encoderFactory->getEncoder($user);
 
-        if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
+        if (null === $user->getPassword() || !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
             $this->context->addViolation($constraint->message);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke`
`61`	`61`	`throw new BadCredentialsException('The presented password cannot be empty.');`
`62`	`62`	`}`
`63`	`63`
`64`		`- if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
	`64`	`+ if (null === $user->getPassword() \|\| !$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
`65`	`65`	`throw new BadCredentialsException('The presented password is invalid.');`
`66`	`66`	`}`
`67`	`67`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@`
`15`	`15`	`use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;`
`16`	`16`	`use Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder;`
`17`	`17`	`use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;`
	`18`	`+use Symfony\Component\Security\Core\User\User;`
`18`	`19`
`19`	`20`	`class DaoAuthenticationProviderTest extends TestCase`
`20`	`21`	`{`
`@@ -151,7 +152,7 @@ public function testCheckAuthenticationWhenCredentialsAre0()`
`151`	`152`
`152`	`153`	`$method->invoke(`
`153`	`154`	`$provider,`
`154`		`- $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(),`
	`155`	`+ new User('username', 'password'),`
`155`	`156`	`$token`
`156`	`157`	`);`
`157`	`158`	`}`
`@@ -175,7 +176,7 @@ public function testCheckAuthenticationWhenCredentialsAreNotValid()`
`175`	`176`	`->willReturn('foo')`
`176`	`177`	`;`
`177`	`178`
`178`		`- $method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);`
	`179`	`+ $method->invoke($provider, new User('username', 'password'), $token);`
`179`	`180`	`}`
`180`	`181`
`181`	`182`	`public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()`
`@@ -247,7 +248,7 @@ public function testCheckAuthentication()`
`247`	`248`	`->willReturn('foo')`
`248`	`249`	`;`
`249`	`250`
`250`		`- $method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);`
	`251`	`+ $method->invoke($provider, new User('username', 'password'), $token);`
`251`	`252`	`}`
`252`	`253`
`253`	`254`	`protected function getSupportedToken()`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ public function validate($password, Constraint $constraint)`
`53`	`53`
`54`	`54`	`$encoder = $this->encoderFactory->getEncoder($user);`
`55`	`55`
`56`		`- if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {`
	`56`	`+ if (null === $user->getPassword() \|\| !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {`
`57`	`57`	`$this->context->addViolation($constraint->message);`
`58`	`58`	`}`
`59`	`59`	`}`