[SECURITY] Disallow login with empty password 99/47599/2
authorNicole Cordes <typo3@cordes.co>
Tue, 12 Apr 2016 09:09:59 +0000 (11:09 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 12 Apr 2016 09:10:01 +0000 (11:10 +0200)
commit1fcfd5bc4e6f01c7f4303543b6c09c90ad88e349
tree6c76a5410815e22c6ce4e7424df0ff3405ad6b24
parent5a8e0a133b87a073958907531d1ccd463c713d12
[SECURITY] Disallow login with empty password

In case a backend or frontend user is stored in the database
with an empty string as password (not possible through backend UI),
it is possible to authenticate this user using an empty password
with the standard TYPO3 username/password authentication services.

By definition this should be prohibited.

Resolves: #75055
Releases: master, 7.6, 6.2
Security-Commit: 1899bfa7166baae8d774fa7bd027f9c448e89686
Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012
Change-Id: I7b5ce35a6e5d817c2480cb81e616bfac25fbe2fb
Reviewed-on: https://review.typo3.org/47599
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
typo3/sysext/sv/Classes/AuthenticationService.php