[SECURITY] Disallow login with empty password 11/47611/2
authorHelmut Hummel <info@helhum.io>
Tue, 12 Apr 2016 09:11:37 +0000 (11:11 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 12 Apr 2016 09:11:40 +0000 (11:11 +0200)
commit5ab7fd5e7958bc198e0a4e39469bf7407c4db430
tree4f20011e51ffaaf18f608148df3cb37d0bc4e23b
parent7e72fd0d3654c1604e594a822a1506f0d03c27e7
[SECURITY] Disallow login with empty password

In case a backend or frontend user is stored in the database
with an empty string as password (not possible through backend UI),
it is possible to authenticate this user using an empty password
with the standard TYPO3 username/password authentication services.

By definition this should be prohibited.

Resolves: #75055
Releases: master, 7.6, 6.2
Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012
Change-Id: I4ca1b7d80c04de86d6ff1ef6e99a4a57b97ed948
Reviewed-on: https://review.typo3.org/47611
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
typo3/sysext/sv/Classes/AuthenticationService.php
typo3/sysext/sv/ext_localconf.php