do not validate passwords when the hash is null

xabbuh · xabbuh · commit b0172e08deb0 · 2019-12-03T19:04:48.000+01:00
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php
@@ -61,7 +61,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
                 throw new BadCredentialsException('The presented password cannot be empty.');
             }
 
-            if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
+            if (null === $user->getPassword() || !$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
                 throw new BadCredentialsException('The presented password is invalid.');
             }
         }
diff --git a/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php b/src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php
@@ -42,6 +42,10 @@ public function encodePassword(UserInterface $user, $plainPassword)
      */
     public function isPasswordValid(UserInterface $user, $raw)
     {
+        if (null === $user->getPassword()) {
+            return false;
+        }
+
         $encoder = $this->encoderFactory->getEncoder($user);
 
         return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/DaoAuthenticationProviderTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/DaoAuthenticationProviderTest.php
@@ -13,8 +13,11 @@
 
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\User;
+use Symfony\Component\Security\Core\User\UserInterface;
 
 class DaoAuthenticationProviderTest extends TestCase
 {
@@ -151,7 +154,7 @@ public function testCheckAuthenticationWhenCredentialsAre0()
 
         $method->invoke(
             $provider,
-            $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(),
+            new User('username', 'password'),
             $token
         );
     }
@@ -175,7 +178,7 @@ public function testCheckAuthenticationWhenCredentialsAreNotValid()
               ->willReturn('foo')
         ;
 
-        $method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
+        $method->invoke($provider, new User('username', 'password'), $token);
     }
 
     public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()
@@ -247,7 +250,7 @@ public function testCheckAuthentication()
               ->willReturn('foo')
         ;
 
-        $method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
+        $method->invoke($provider, new User('username', 'password'), $token);
     }
 
     protected function getSupportedToken()
diff --git a/src/Symfony/Component/Security/Core/Validator/Constraints/UserPasswordValidator.php b/src/Symfony/Component/Security/Core/Validator/Constraints/UserPasswordValidator.php
@@ -53,7 +53,7 @@ public function validate($password, Constraint $constraint)
 
         $encoder = $this->encoderFactory->getEncoder($user);
 
-        if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
+        if (null === $user->getPassword() || !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
             $this->context->addViolation($constraint->message);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke`
`61`	`61`	`throw new BadCredentialsException('The presented password cannot be empty.');`
`62`	`62`	`}`
`63`	`63`
`64`		`- if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
	`64`	`+ if (null === $user->getPassword() \|\| !$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {`
`65`	`65`	`throw new BadCredentialsException('The presented password is invalid.');`
`66`	`66`	`}`
`67`	`67`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,8 +13,11 @@`
`13`	`13`
`14`	`14`	`use PHPUnit\Framework\TestCase;`
`15`	`15`	`use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;`
	`16`	`+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;`
`16`	`17`	`use Symfony\Component\Security\Core\Encoder\PlaintextPasswordEncoder;`
`17`	`18`	`use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;`
	`19`	`+use Symfony\Component\Security\Core\User\User;`
	`20`	`+use Symfony\Component\Security\Core\User\UserInterface;`
`18`	`21`
`19`	`22`	`class DaoAuthenticationProviderTest extends TestCase`
`20`	`23`	`{`
`@@ -151,7 +154,7 @@ public function testCheckAuthenticationWhenCredentialsAre0()`
`151`	`154`
`152`	`155`	`$method->invoke(`
`153`	`156`	`$provider,`
`154`		`- $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(),`
	`157`	`+ new User('username', 'password'),`
`155`	`158`	`$token`
`156`	`159`	`);`
`157`	`160`	`}`
`@@ -175,7 +178,7 @@ public function testCheckAuthenticationWhenCredentialsAreNotValid()`
`175`	`178`	`->willReturn('foo')`
`176`	`179`	`;`
`177`	`180`
`178`		`- $method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);`
	`181`	`+ $method->invoke($provider, new User('username', 'password'), $token);`
`179`	`182`	`}`
`180`	`183`
`181`	`184`	`public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()`
`@@ -247,7 +250,7 @@ public function testCheckAuthentication()`
`247`	`250`	`->willReturn('foo')`
`248`	`251`	`;`
`249`	`252`
`250`		`- $method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);`
	`253`	`+ $method->invoke($provider, new User('username', 'password'), $token);`
`251`	`254`	`}`
`252`	`255`
`253`	`256`	`protected function getSupportedToken()`
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ public function validate($password, Constraint $constraint)`
`53`	`53`
`54`	`54`	`$encoder = $this->encoderFactory->getEncoder($user);`
`55`	`55`
`56`		`- if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {`
	`56`	`+ if (null === $user->getPassword() \|\| !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {`
`57`	`57`	`$this->context->addViolation($constraint->message);`
`58`	`58`	`}`
`59`	`59`	`}`