Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-13 05:43:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

PlaintextPasswordEncoder ignores null encoded passwords

Browse Source 
Fixes gh-7023
This commit is contained in:
Rob Winch 2019-06-12 09:21:38 -05:00
parent 4a7bdc1d65
commit b2d4fec361
2 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
core/src/main/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoder.java
View File

@ -51,6 +51,9 @@ public class PlaintextPasswordEncoder extends BasePasswordEncoder {
}
public boolean isPasswordValid(String encPass, String rawPass, Object salt) {
if (encPass == null) {
return false;
}
String pass1 = encPass + "";
// Strict delimiters is false because pass2 never persisted anywhere

6
core/src/test/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoderTests.java
View File

@ -70,4 +70,10 @@ public class PlaintextPasswordEncoderTests {
assertThat(demerged[0]).isEqualTo("password");
assertThat(demerged[1]).isEqualTo("foo");
}
@Test
public void testNull() {
PlaintextPasswordEncoder encoder = new PlaintextPasswordEncoder();
assertThat(encoder.isPasswordValid(null, "null", null)).isFalse();
}
}