Merge pull request from GHSA-552f-97wf-pmpq

netcamo · jey · bergmania · commit 7e1d1a196800 · 2024-03-18T08:28:25.000+01:00
Co-authored-by: jey <jey@umbraco.dk> (cherry picked from commit b743f6a)
diff --git a/src/Umbraco.Infrastructure/Security/UmbracoUserManager.cs b/src/Umbraco.Infrastructure/Security/UmbracoUserManager.cs
@@ -134,8 +134,8 @@ public async Task<IdentityResult> ValidatePasswordAsync(string? password)
     /// <inheritdoc />
     public override async Task<bool> CheckPasswordAsync(TUser user, string? password)
     {
-        // we cannot proceed if the user passed in does not have an identity
-        if (user.HasIdentity == false)
+        // we cannot proceed if the user passed in does not have an identity, or if no password is provided.
+        if (user.HasIdentity == false || password is null)
         {
             return false;
         }
@@ -252,7 +252,7 @@ public override async Task<IdentityResult> AccessFailedAsync(TUser user)
     public async Task<bool> ValidateCredentialsAsync(string username, string password)
     {
         TUser user = await FindByNameAsync(username);
-        
+
         if (user == null)
         {
             return false;
@@ -263,7 +263,7 @@ public async Task<bool> ValidateCredentialsAsync(string username, string passwor
             throw new NotSupportedException("The current user store does not implement " +
                                             typeof(IUserPasswordStore<>));
         }
-        
+
         var result = await VerifyPasswordAsync(userPasswordStore, user, password);
 
         return result == PasswordVerificationResult.Success || result == PasswordVerificationResult.SuccessRehashNeeded;

Original file line number	Diff line number	Diff line change
`@@ -134,8 +134,8 @@ public async Task<IdentityResult> ValidatePasswordAsync(string? password)`
`134`	`134`	`/// <inheritdoc />`
`135`	`135`	`public override async Task<bool> CheckPasswordAsync(TUser user, string? password)`
`136`	`136`	`{`
`137`		`- // we cannot proceed if the user passed in does not have an identity`
`138`		`- if (user.HasIdentity == false)`
	`137`	`+ // we cannot proceed if the user passed in does not have an identity, or if no password is provided.`
	`138`	`+ if (user.HasIdentity == false \|\| password is null)`
`139`	`139`	`{`
`140`	`140`	`return false;`
`141`	`141`	`}`
`@@ -252,7 +252,7 @@ public override async Task<IdentityResult> AccessFailedAsync(TUser user)`
`252`	`252`	`public async Task<bool> ValidateCredentialsAsync(string username, string password)`
`253`	`253`	`{`
`254`	`254`	`TUser user = await FindByNameAsync(username);`
`255`		`-`
	`255`	`+`
`256`	`256`	`if (user == null)`
`257`	`257`	`{`
`258`	`258`	`return false;`
`@@ -263,7 +263,7 @@ public async Task<bool> ValidateCredentialsAsync(string username, string passwor`
`263`	`263`	`throw new NotSupportedException("The current user store does not implement " +`
`264`	`264`	`typeof(IUserPasswordStore<>));`
`265`	`265`	`}`
`266`		`-`
	`266`	`+`
`267`	`267`	`var result = await VerifyPasswordAsync(userPasswordStore, user, password);`
`268`	`268`
`269`	`269`	`return result == PasswordVerificationResult.Success \|\| result == PasswordVerificationResult.SuccessRehashNeeded;`