password_exposed
password_exposed copied to clipboard
Run $lines through array_filter() to remove empty strings that can cause unhandled exceptions
In some cases, the response body pulled from the HaveIBeenPwned API can end with a blank space after the final new line characters. When pulled into the $lines
array, this creates an index that consists of just a blank string.
When attempting to call list()
on the result of calling explode(':', $line)
, an Exception is thrown.
This Exception is not caught in this package, or within Laravel NIST which uses it. The stack trace of this Exception exposes the User's password to any logs that record it.
Passing the $lines
array through an array_filter()
removes any blank indexes and prevents this error.
Currently my users cannot register or edit profile if exposed password is entered - this PR is much needed. Thanks!
Pull Request Test Coverage Report for Build 176
- 1 of 1 (100.0%) changed or added relevant line in 1 file are covered.
- No unchanged relevant lines lost coverage.
- Overall coverage decreased (-0.0%) to 86.735%
Totals | |
---|---|
Change from base Build 173: | -0.0% |
Covered Lines: | 85 |
Relevant Lines: | 98 |