password_exposed
password_exposed copied to clipboard
Empty string in $line causes an Exception that can expose a User's password
In this method, if the $line
variable does not contain a colon (e.g., is an empty string), then the call to list()
will throw an Exception.
https://github.com/DivineOmega/password_exposed/blob/327f93ee5cab54622077bcae721412b55be16720/src/AbstractPasswordExposedChecker.php#L147
This exception is not caught by the handling in NIST or the DivineOmega packages. The stack trace of this exception will contain the submitted password in plain text.
Same problem. Thanks for the fix.