[11.x] Fix Bcrypt/Argon/Argon2I Hashers not checking database field for nullish value before checking hash compatibility (#52297)

localpath · web-flow · commit 18b9bad2bf44 · 2024-07-29T10:18:43.000+03:00
* Fix Bcrypt Hasher not checking database field for nullish value

Updates Bcrypt Hasher implementation to correctly check if the `$hashedValue` field being checked for Hash Algorithm compatibility is not `null` or of length `0`. This gives us the behavior before hash verification was added to the framework that will trigger the framework to return early with a proper response of `false` as opposed to a generic `RuntimeException` being thrown for a value that should never have been checked for hash algorithm compatibility

* Update ArgonHasher to check for nullish value before hash compatibility check

* Update Argon2IdHasher to check for nullish value before hash compatibility
diff --git a/src/Illuminate/Hashing/Argon2IdHasher.php b/src/Illuminate/Hashing/Argon2IdHasher.php
@@ -18,13 +18,13 @@ class Argon2IdHasher extends ArgonHasher
      */
     public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = [])
     {
-        if ($this->verifyAlgorithm && ! $this->isUsingCorrectAlgorithm($hashedValue)) {
-            throw new RuntimeException('This password does not use the Argon2id algorithm.');
-        }
-
         if (is_null($hashedValue) || strlen($hashedValue) === 0) {
             return false;
         }
+        
+        if ($this->verifyAlgorithm && ! $this->isUsingCorrectAlgorithm($hashedValue)) {
+            throw new RuntimeException('This password does not use the Argon2id algorithm.');
+        }      
 
         return password_verify($value, $hashedValue);
     }
diff --git a/src/Illuminate/Hashing/ArgonHasher.php b/src/Illuminate/Hashing/ArgonHasher.php
@@ -95,6 +95,10 @@ protected function algorithm()
      */
     public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = [])
     {
+        if (is_null($hashedValue) || strlen($hashedValue) === 0) {
+            return false;
+        }
+        
         if ($this->verifyAlgorithm && ! $this->isUsingCorrectAlgorithm($hashedValue)) {
             throw new RuntimeException('This password does not use the Argon2i algorithm.');
         }
diff --git a/src/Illuminate/Hashing/BcryptHasher.php b/src/Illuminate/Hashing/BcryptHasher.php
@@ -67,6 +67,10 @@ public function make(#[\SensitiveParameter] $value, array $options = [])
      */
     public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = [])
     {
+        if (is_null($hashedValue) || strlen($hashedValue) === 0) {
+            return false;
+        }
+        
         if ($this->verifyAlgorithm && ! $this->isUsingCorrectAlgorithm($hashedValue)) {
             throw new RuntimeException('This password does not use the Bcrypt algorithm.');
         }

Original file line number	Diff line number	Diff line change
`@@ -18,13 +18,13 @@ class Argon2IdHasher extends ArgonHasher`
`18`	`18`	`*/`
`19`	`19`	`public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = [])`
`20`	`20`	`{`
`21`		`- if ($this->verifyAlgorithm && ! $this->isUsingCorrectAlgorithm($hashedValue)) {`
`22`		`- throw new RuntimeException('This password does not use the Argon2id algorithm.');`
`23`		`- }`
`24`		`-`
`25`	`21`	`if (is_null($hashedValue) \|\| strlen($hashedValue) === 0) {`
`26`	`22`	`return false;`
`27`	`23`	`}`
	`24`	`+`
	`25`	`+ if ($this->verifyAlgorithm && ! $this->isUsingCorrectAlgorithm($hashedValue)) {`
	`26`	`+ throw new RuntimeException('This password does not use the Argon2id algorithm.');`
	`27`	`+ }`
`28`	`28`
`29`	`29`	`return password_verify($value, $hashedValue);`
`30`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,10 @@ protected function algorithm()`
`95`	`95`	`*/`
`96`	`96`	`public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = [])`
`97`	`97`	`{`
	`98`	`+ if (is_null($hashedValue) \|\| strlen($hashedValue) === 0) {`
	`99`	`+ return false;`
	`100`	`+ }`
	`101`	`+`
`98`	`102`	`if ($this->verifyAlgorithm && ! $this->isUsingCorrectAlgorithm($hashedValue)) {`
`99`	`103`	`throw new RuntimeException('This password does not use the Argon2i algorithm.');`
`100`	`104`	`}`
Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,10 @@ public function make(#[\SensitiveParameter] $value, array $options = [])`
`67`	`67`	`*/`
`68`	`68`	`public function check(#[\SensitiveParameter] $value, $hashedValue, array $options = [])`
`69`	`69`	`{`
	`70`	`+ if (is_null($hashedValue) \|\| strlen($hashedValue) === 0) {`
	`71`	`+ return false;`
	`72`	`+ }`
	`73`	`+`
`70`	`74`	`if ($this->verifyAlgorithm && ! $this->isUsingCorrectAlgorithm($hashedValue)) {`
`71`	`75`	`throw new RuntimeException('This password does not use the Bcrypt algorithm.');`
`72`	`76`	`}`