security #23507 [Security] validate empty passwords again (xabbuh)

This PR was merged into the 2.7 branch.

Discussion
----------

[Security] validate empty passwords again

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #23341 (comment)
| License       | MIT
| Doc PR        |

It looks like this part of #23341 causes serious security issues for some users who rely on the validator to also compare the empty string with their user's password (see for example #23341 (comment)). Thus I suggest to revert this part of #23341.

Commits
-------

878198c [Security] validate empty passwords again

src/Symfony/Component/Security/Core/Tests/Validator/Constraints/UserPasswordValidatorTest.php

@@ -90,6 +90,29 @@ public function testPasswordIsNotValid()
             ->assertRaised();
     }
 
+    /**
+     * @dataProvider emptyPasswordData
+     */
+    public function testEmptyPasswordsAreNotValid($password)
+    {
+        $constraint = new UserPassword(array(
+            'message' => 'myMessage',
+        ));
+
+        $this->validator->validate($password, $constraint);
+
+        $this->buildViolation('myMessage')
+            ->assertRaised();
+    }
+
+    public function emptyPasswordData()
+    {
+        return array(
+            array(null),
+            array(''),
+        );
+    }
+
     /**
      * @expectedException \Symfony\Component\Validator\Exception\ConstraintDefinitionException
      */

src/Symfony/Component/Security/Core/Validator/Constraints/UserPasswordValidator.php

@@ -40,6 +40,8 @@ public function validate($password, Constraint $constraint)
         }
 
         if (null === $password || '' === $password) {
+            $this->context->addViolation($constraint->message);
+
             return;
         }