New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] validate empty passwords again #23507
Conversation
|
But this can cause a warning in sf2.8+ and break your app if you provide an empty string. If this needs to work as previously, why not simply change this to: if (null === $password || '' === $password) {
// add violation that the password cannot be empty
return;
}That way there is no exception and no security issue. |
WAT If you want to make this optional use validation-groups. |
|
@sstok I am not sure we both understand each other, but my proposition is to automatically put a constraint violation if the password is empty. In newer implementations of the password checker, a EDIT To clarify - initially the PR simply removed the |
|
Thank you @xabbuh. |
This PR was merged into the 2.7 branch. Discussion ---------- [Security] validate empty passwords again | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #23341 (comment) | License | MIT | Doc PR | It looks like this part of #23341 causes serious security issues for some users who rely on the validator to also compare the empty string with their user's password (see for example #23341 (comment)). Thus I suggest to revert this part of #23341. Commits ------- 878198c [Security] validate empty passwords again
|
In theory, wasn't an empty password |
|
@Tobion I agree this is a BC break, but for security reasons this is more logical. |
It looks like this part of #23341 causes serious security issues for some users who rely on the validator to also compare the empty string with their user's password (see for example #23341 (comment)). Thus I suggest to revert this part of #23341.