PlaintextPasswordEncoder ignores null encoded passwords

Fixes gh-7023
7 years ago · b2d4fec361
2 changed files with 9 additions and 0 deletions
--- a/core/src/main/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoder.java
+++ b/core/src/main/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoder.java
@ -51,6 +51,9 @@ public class PlaintextPasswordEncoder extends BasePasswordEncoder {
				@@ -51,6 +51,9 @@ public class PlaintextPasswordEncoder extends BasePasswordEncoder {
 	}

 	public boolean isPasswordValid(String encPass, String rawPass, Object salt) {
+		if (encPass == null) {
+			return false;
+		}
 		String pass1 = encPass + "";

 		// Strict delimiters is false because pass2 never persisted anywhere
--- a/core/src/test/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoderTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/encoding/PlaintextPasswordEncoderTests.java
@ -70,4 +70,10 @@ public class PlaintextPasswordEncoderTests {
				@@ -70,4 +70,10 @@ public class PlaintextPasswordEncoderTests {
 		assertThat(demerged[0]).isEqualTo("password");
 		assertThat(demerged[1]).isEqualTo("foo");
 	}
+
+	@Test
+	public void testNull() {
+		PlaintextPasswordEncoder encoder = new PlaintextPasswordEncoder();
+		assertThat(encoder.isPasswordValid(null, "null", null)).isFalse();
+	}
 }