[Ldap] cast to string when checking empty passwords #26589
Conversation
ismail1432
commented
Mar 18, 2018
| Q | A |
|---|---|
| Branch? | master for features / 2.7 up to 4.0 for bug fixes |
| Bug fix? | yes |
| New feature? | no |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | yes |
| Fixed tickets | #26525 |
| License | MIT |
| Doc PR | symfony/symfony-docs#... |
| @@ -84,7 +84,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke | |||
| $username = $token->getUsername(); | |||
| $password = $token->getCredentials(); | |||
|
|
|||
| if ('' === $password) { | |||
| if (empty($password)) { | |||
There was a problem hiding this comment.
We try to avoid using empty in Symfony. Here, a password like 0 would return true with empty, which is not what we want here.
There was a problem hiding this comment.
Thanks for feedback, What about use the NotBlankValidator condition if(empty($value) && '0' != $value)
There was a problem hiding this comment.
I'd suggest to write this as if ('' === (string) $password) {
There was a problem hiding this comment.
Thanks @nicolas-grekas I applied your code in the PR, Hope it's good
| @@ -84,7 +84,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke | |||
| $username = $token->getUsername(); | |||
| $password = $token->getCredentials(); | |||
|
|
|||
| if ('' === $password) { | |||
| if (empty($password)) { | |||
There was a problem hiding this comment.
I'd suggest to write this as if ('' === (string) $password) {
I updated the source code following your advices and applied Nicolas code
|
@ismail1432 would you mind adding a test case please? |
|
@nicolas-grekas sorry for answer now, this test is not enough ? To be honest I don't have enough experience in Security and Tests to go more far... Sorry. |
|
I mean a test case, something in https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php |
|
thanks for feedback, I add test with |
|
Thank you @ismail1432. |
…l1432) This PR was submitted for the master branch but it was squashed and merged into the 2.8 branch instead (closes #26589). Discussion ---------- [Ldap] cast to string when checking empty passwords | Q | A | ------------- | --- | Branch? | master for features / 2.7 up to 4.0 for bug fixes <!-- see below --> | Bug fix? | yes | New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files --> | BC breaks? | no <!-- see https://symfony.com/bc --> | Deprecations? | no <!-- don't forget to update UPGRADE-*.md files --> | Tests pass? | yes <!-- please add some, will be required by reviewers --> | Fixed tickets | #26525 <!-- #-prefixed issue number(s), if any --> | License | MIT | Doc PR | symfony/symfony-docs#... <!-- required for new features --> <!-- Quick fix condition that solved the issue. --> Commits ------- f276989 [Ldap] cast to string when checking empty passwords