Commit 3fbd91c5 authored by Nicole Cordes's avatar Nicole Cordes Committed by Oliver Hader
Browse files

[SECURITY] Prevent login with semi-empty values

Disallow frontend user to login in with a password which can be casted
to an empty value.

Releases: 4.5
Resolves: #65113
Security-Bulletin: TYPO3-CORE-SA-2015-001
Change-Id: Iceb22eac9572044c05f5c5b27d335deacdf146f1
Reviewed-on: http://review.typo3.org/37013


Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
parent 6cf78f61
......@@ -104,7 +104,7 @@ class tx_rsaauth_sv1 extends tx_sv_auth {
$decryptedPassword = $this->runPasswordEvaluations($decryptedPassword);
if ($decryptedPassword != null) {
$this->login['uident'] = $decryptedPassword;
if (parent::authUser($userRecord)) {
if (is_bool($checkResult = parent::authUser($userRecord)) && $checkResult) {
$result = 200;
}
}
......
......@@ -237,7 +237,7 @@ class tx_saltedpasswords_sv1 extends tx_sv_authbase {
}
if ($this->login['uident'] && $this->login['uname']) {
if (!empty($this->login['uident_text'])) {
if ((string)$this->login['uident_text'] !== '') {
$validPasswd = $this->compareUident(
$user,
$this->login
......
......@@ -125,7 +125,7 @@ class tx_sv_auth extends tx_sv_authbase {
public function authUser(array $user) {
$OK = 100;
if ($this->login['uident'] && $this->login['uname']) {
if ((string)$this->login['uident'] !== '' && $this->login['uname']) {
// Checking password match for user:
$OK = $this->compareUident($user, $this->login);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment