password_exposed icon indicating copy to clipboard operation
password_exposed copied to clipboard

Published 20 hours ago • verified publisher icon DivineOmega

Empty string in $line causes an Exception that can expose a User's password

Open jamieb-tillo opened this issue 1 year ago • 1 comments

In this method, if the $line variable does not contain a colon (e.g., is an empty string), then the call to list() will throw an Exception.

https://github.com/DivineOmega/password_exposed/blob/327f93ee5cab54622077bcae721412b55be16720/src/AbstractPasswordExposedChecker.php#L147

This exception is not caught by the handling in NIST or the DivineOmega packages. The stack trace of this exception will contain the submitted password in plain text.

jamieb-tillo avatar Jul 13 '22 15:07 jamieb-tillo

Same problem. Thanks for the fix.

Neven21 avatar Jul 14 '22 04:07 Neven21