feat: Validate password hash

Signed-off-by: Christopher Ng <chrng8@gmail.com>

diff --git a/lib/private/User/Database.php b/lib/private/User/Database.php
index 194e998ef4f47fe3018b75117dfbb0b666a74aa8..bd6aa7ba2c274e3da482b7ce8a389d293ba5bae4 100644 (file)
--- a/lib/private/User/Database.php
+++ b/lib/private/User/Database.php
@@ -8,6 +8,7 @@ declare(strict_types=1);
  */
 namespace OC\User;
 
+use InvalidArgumentException;
 use OCP\AppFramework\Db\TTransactional;
 use OCP\Cache\CappedMemoryCache;
 use OCP\EventDispatcher\IEventDispatcher;
@@ -200,6 +201,9 @@ class Database extends ABackend implements
        }
 
        public function setPasswordHash(string $userId, string $passwordHash): bool {
+               if (!\OCP\Server::get(IHasher::class)->validate($passwordHash)) {
+                       throw new InvalidArgumentException();
+               }
                $this->fixDI();
                $result = $this->updatePassword($userId, $passwordHash);
                if (!$result) {