[SECURITY] Disallow login with empty password 03/47603/2
authorHelmut Hummel <info@helhum.io>
Tue, 12 Apr 2016 09:10:30 +0000 (11:10 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 12 Apr 2016 09:10:32 +0000 (11:10 +0200)
commita445c9c483754dee844cbb17dc6d97527ad6bd3f
tree1934fae75fd9d6ddcc8136627fbf2234b767b3d4
parent819c1f901106161cfc9bb8e650bc8291b8d37a62
[SECURITY] Disallow login with empty password

In case a backend or frontend user is stored in the database
with an empty string as password (not possible through backend UI),
it is possible to authenticate this user using an empty password
with the standard TYPO3 username/password authentication services.

By definition this should be prohibited.

Resolves: #75055
Releases: master, 7.6, 6.2
Security-Commit: b8e1cf8c771e9908c2ab7552b0f9a1c566365879
Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012
Change-Id: I0ac861d44fe5a3b110c2f5de7ef19b458cec2c79
Reviewed-on: https://review.typo3.org/47603
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php
typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
typo3/sysext/sv/Classes/AuthenticationService.php
typo3/sysext/sv/ext_localconf.php