Fixes security issue on handling a failed password_hash (#5)

* Fix #4 - Add check for unsuccessful hash * Remove unnecessary `return` statement on `__construct`
NigelGreenway · Jun 17, 2016 · 73d623f · 73d623f
1 parent 49bd1af
commit 73d623f
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/lib/Exception/InactivePassException.php b/lib/Exception/InactivePassException.php
@@ -19,6 +19,6 @@ final class InactivePassException extends Exception
     /** Class constructor */
     public function __construct()
     {
-        return parent::__construct('Inactive Pass');
+        parent::__construct('Inactive Pass');
     }
 }
diff --git a/lib/Exception/InvalidPasswordException.php b/lib/Exception/InvalidPasswordException.php
@@ -19,6 +19,6 @@ final class InvalidPasswordException extends Exception
     /** Class Constructor */
     public function __construct()
     {
-        return parent::__construct('An invalid password as been given');
+        parent::__construct('An invalid password as been given');
     }
 }
diff --git a/lib/Handler/BasicPasswordHandler.php b/lib/Handler/BasicPasswordHandler.php
@@ -30,12 +30,20 @@ private function __construct($hash)
         $this->hash = $hash;
     }
 
-    /** {@inheritDoc} */
+    /**
+     * {@inheritDoc}
+     *
+     * @throws \RuntimeException
+     */
     public static function hash($password, array $options = [])
     {
         $hash = password_hash($password, PASSWORD_DEFAULT, $options);
 
-        return new self($hash);
+        if ($hash !== false) {
+            return new self($hash);
+        }
+
+        throw new \RuntimeException('Unsuccessful `password_hash` function call');
     }
 
     /** {@inheritDoc} */