Issue #3305807 by andypost, ChrisPerko, mediabounds, xjm, sorlov, Rishabh...

Issue #3305807 by andypost, ChrisPerko, mediabounds, xjm, sorlov, Rishabh Vishwakarma, ilya.no, asad_ahmed, paulocs, Michelle, _pratik_, reenaraghavan, DanChadwick, smustgrave, larowlan, allisonherodevs: Password is null if user has never logged in which causes PHP 8 warning (cherry picked from commit 00a619f3)

Issue #3305807 by andypost, ChrisPerko, mediabounds, xjm, sorlov, Rishabh...
d30fedcc · Lee Rowlands · 63cdabd2 · d30fedcc · d30fedcc · d30fedcc
Verified Commit d30fedcc authored 1 year ago by Lee Rowlands
--- a/core/lib/Drupal/Core/Password/PasswordInterface.php
+++ b/core/lib/Drupal/Core/Password/PasswordInterface.php
@@ -27,8 +27,8 @@ public function hash(#[\SensitiveParameter] $password);
   * Check whether a plain text password matches a hashed password.
   *
   * @param string $password
-   *   A plain-text password
-   * @param string $hash
+   *   A plain-text password.
+   * @param string|null $hash
   *   A hashed password.
   *
   * @return bool
@@ -46,7 +46,7 @@ public function check(#[\SensitiveParameter] $password, #[\SensitiveParameter] $
   * This method returns TRUE if the password was hashed with an older
   * algorithm.
   *
-   * @param string $hash
+   * @param string|null $hash
   *   The hash to be checked.
   *
   * @return bool

--- a/core/lib/Drupal/Core/Password/PhpPassword.php
+++ b/core/lib/Drupal/Core/Password/PhpPassword.php
@@ -45,6 +45,10 @@ public function check(#[\SensitiveParameter] $password, #[\SensitiveParameter] $
    if (strlen($password) > static::PASSWORD_MAX_LENGTH) {
      return FALSE;
    }
+    // Newly created accounts may have empty passwords.
+    if ($hash === NULL || $hash === '') {
+      return FALSE;
+    }

    return password_verify($password, $hash);
  }

--- a/core/lib/Drupal/Core/Password/PhpassHashedPasswordBase.php
+++ b/core/lib/Drupal/Core/Password/PhpassHashedPasswordBase.php
@@ -242,6 +242,10 @@ public function hash(#[\SensitiveParameter] $password) {
   * {@inheritdoc}
   */
  public function check(#[\SensitiveParameter] $password, #[\SensitiveParameter] $hash) {
+    // Newly created accounts may have empty passwords.
+    if ($hash === NULL || $hash === '') {
+      return FALSE;
+    }
    if (substr($hash, 0, 2) == 'U$') {
      // This may be an updated password from user_update_7000(). Such hashes
      // have 'U' added as the first character and need an extra md5() (see the

--- a/core/modules/phpass/tests/src/Unit/LegacyPasswordHashingTest.php
+++ b/core/modules/phpass/tests/src/Unit/LegacyPasswordHashingTest.php
@@ -114,4 +114,14 @@ public function testPasswordRehashing() {
    $this->assertTrue($this->passwordHasher->check($this->password, $rehashed_password), 'Password check succeeds with re-hashed password with original hasher.');
  }

+  /**
+   * Tests password validation when the hash is NULL.
+   *
+   * @covers ::check
+   */
+  public function testEmptyHash(): void {
+    $this->assertFalse($this->passwordHasher->check($this->password, NULL));
+    $this->assertFalse($this->passwordHasher->check($this->password, ''));
+  }
+
 }
--- a/core/tests/Drupal/Tests/Core/Password/PhpPasswordTest.php
+++ b/core/tests/Drupal/Tests/Core/Password/PhpPasswordTest.php
@@ -124,4 +124,14 @@ public function providerLongPasswords() {
    return $passwords;
  }

+  /**
+   * Tests password check in case provided hash is NULL.
+   *
+   * @covers ::check
+   */
+  public function testEmptyHash(): void {
+    $this->assertFalse($this->passwordHasher->check($this->password, NULL));
+    $this->assertFalse($this->passwordHasher->check($this->password, ''));
+  }
+
 }