Fail on empty password verification (without warning on any implementation)

Stefan Kruppa · fabpot · commit c70b10269530 · 2020-02-03T17:30:37.000+01:00
diff --git a/Encoder/NativePasswordEncoder.php b/Encoder/NativePasswordEncoder.php
@@ -76,6 +76,9 @@ public function encodePassword($raw, $salt): string
      */
     public function isPasswordValid($encoded, $raw, $salt): bool
     {
+        if ('' === $raw) {
+            return false;
+        }
         if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {
             return false;
         }
diff --git a/Encoder/SodiumPasswordEncoder.php b/Encoder/SodiumPasswordEncoder.php
@@ -76,6 +76,9 @@ public function encodePassword($raw, $salt): string
      */
     public function isPasswordValid($encoded, $raw, $salt): bool
     {
+        if ('' === $raw) {
+            return false;
+        }
         if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {
             return false;
         }
diff --git a/Tests/Encoder/NativePasswordEncoderTest.php b/Tests/Encoder/NativePasswordEncoderTest.php
@@ -53,6 +53,7 @@ public function testValidation()
         $result = $encoder->encodePassword('password', null);
         $this->assertTrue($encoder->isPasswordValid($result, 'password', null));
         $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
+        $this->assertFalse($encoder->isPasswordValid($result, '', null));
     }
 
     public function testNonArgonValidation()
diff --git a/Tests/Encoder/SodiumPasswordEncoderTest.php b/Tests/Encoder/SodiumPasswordEncoderTest.php
@@ -29,6 +29,7 @@ public function testValidation()
         $result = $encoder->encodePassword('password', null);
         $this->assertTrue($encoder->isPasswordValid($result, 'password', null));
         $this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));
+        $this->assertFalse($encoder->isPasswordValid($result, '', null));
     }
 
     public function testBCryptValidation()

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,9 @@ public function encodePassword($raw, $salt): string`
`76`	`76`	`*/`
`77`	`77`	`public function isPasswordValid($encoded, $raw, $salt): bool`
`78`	`78`	`{`
	`79`	`+ if ('' === $raw) {`
	`80`	`+ return false;`
	`81`	`+ }`
`79`	`82`	`if (\strlen($raw) > self::MAX_PASSWORD_LENGTH) {`
`80`	`83`	`return false;`
`81`	`84`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@ public function testValidation()`
`53`	`53`	`$result = $encoder->encodePassword('password', null);`
`54`	`54`	`$this->assertTrue($encoder->isPasswordValid($result, 'password', null));`
`55`	`55`	`$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));`
	`56`	`+ $this->assertFalse($encoder->isPasswordValid($result, '', null));`
`56`	`57`	`}`
`57`	`58`
`58`	`59`	`public function testNonArgonValidation()`
Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ public function testValidation()`
`29`	`29`	`$result = $encoder->encodePassword('password', null);`
`30`	`30`	`$this->assertTrue($encoder->isPasswordValid($result, 'password', null));`
`31`	`31`	`$this->assertFalse($encoder->isPasswordValid($result, 'anotherPassword', null));`
	`32`	`+ $this->assertFalse($encoder->isPasswordValid($result, '', null));`
`32`	`33`	`}`
`33`	`34`
`34`	`35`	`public function testBCryptValidation()`