mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-01 05:39:10 +02:00
BUGFIX Keep Member.PasswordEncryption setting on empty passwords
This will prevent empty passwords to set the encryption to 'none', which in turn will store any subsequent password changes in cleartext. Reproduceable e.g. with ConfirmedPasswordField and setCanBeEmpty(true).
This commit is contained in:
parent
3e27d27f7a
commit
eecd34868f
@ -835,18 +835,9 @@ class Security extends Controller {
|
||||
* @see encrypt_passwords()
|
||||
* @see set_password_encryption_algorithm()
|
||||
*/
|
||||
static function encrypt_password($password, $salt = null, $algorithm = null, $member = null) {
|
||||
if(
|
||||
// if the password is empty, don't encrypt
|
||||
strlen(trim($password)) == 0
|
||||
// if no algorithm is provided and no default is set, don't encrypt
|
||||
|| (!$algorithm && self::$encryptPasswords == false)
|
||||
) {
|
||||
$algorithm = 'none';
|
||||
} else {
|
||||
public static function encrypt_password($password, $salt = null, $algorithm = null, $member = null) {
|
||||
// Fall back to the default encryption algorithm
|
||||
if(!$algorithm) $algorithm = self::$encryptionAlgorithm;
|
||||
}
|
||||
|
||||
$e = PasswordEncryptor::create_for_algorithm($algorithm);
|
||||
|
||||
@ -929,5 +920,5 @@ class Security extends Controller {
|
||||
return self::$default_login_dest;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
?>
|
||||
|
@ -115,6 +115,23 @@ class MemberTest extends FunctionalTest {
|
||||
Security::set_password_encryption_algorithm($origAlgo);
|
||||
}
|
||||
|
||||
public function testKeepsEncryptionOnEmptyPasswords() {
|
||||
$member = new Member();
|
||||
$member->Password = 'mypassword';
|
||||
$member->PasswordEncryption = 'sha1_v2.4';
|
||||
$member->write();
|
||||
|
||||
$member->Password = '';
|
||||
$member->write();
|
||||
|
||||
$this->assertEquals(
|
||||
$member->PasswordEncryption,
|
||||
'sha1_v2.4'
|
||||
);
|
||||
$result = $member->checkPassword('');
|
||||
$this->assertTrue($result->valid());
|
||||
}
|
||||
|
||||
function testSetPassword() {
|
||||
$member = $this->objFromFixture('Member', 'test');
|
||||
$member->Password = "test1";
|
||||
|
Loading…
Reference in New Issue
Block a user