Skip to content
Browse files

BUGFIX Keep Member.PasswordEncryption setting on empty passwords

This will prevent empty passwords to set the encryption to 'none',
which in turn will store any subsequent password changes in cleartext.
Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
  • Loading branch information...
1 parent d51e0bc commit 30096ee73091074474a5831c0f60e02e65b72a30 @chillu chillu committed
Showing with 19 additions and 11 deletions.
  1. +2 −11 security/Security.php
  2. +17 −0 tests/security/MemberTest.php
View
13 security/Security.php
@@ -829,17 +829,8 @@ public static function get_password_encryption_algorithm() {
* @see set_password_encryption_algorithm()
*/
public static function encrypt_password($password, $salt = null, $algorithm = null, $member = null) {
- if(
- // if the password is empty, don't encrypt
- strlen(trim($password)) == 0
- // if no algorithm is provided and no default is set, don't encrypt
- || (!$algorithm)
- ) {
- $algorithm = 'none';
- } else {
- // Fall back to the default encryption algorithm
- if(!$algorithm) $algorithm = self::$encryptionAlgorithm;
- }
+ // Fall back to the default encryption algorithm
+ if(!$algorithm) $algorithm = self::$encryptionAlgorithm;
$e = PasswordEncryptor::create_for_algorithm($algorithm);
View
17 tests/security/MemberTest.php
@@ -114,6 +114,23 @@ public function testDefaultPasswordEncryptionDoesntChangeExistingMembers() {
Security::set_password_encryption_algorithm($origAlgo);
}
+
+ public function testKeepsEncryptionOnEmptyPasswords() {
+ $member = new Member();
+ $member->Password = 'mypassword';
+ $member->PasswordEncryption = 'sha1_v2.4';
+ $member->write();
+
+ $member->Password = '';
+ $member->write();
+
+ $this->assertEquals(
+ $member->PasswordEncryption,
+ 'sha1_v2.4'
+ );
+ $result = $member->checkPassword('');
+ $this->assertTrue($result->valid());
+ }
public function testSetPassword() {
$member = $this->objFromFixture('Member', 'test');

0 comments on commit 30096ee

Please sign in to comment.
Something went wrong with that request. Please try again.