Merge branch '4.3' into 4.4

* 4.3:
  [DotEnv] Remove `usePutEnv` property default value
  Set up typo fix
  [Validator] Allow underscore character "_" in URL username and password
  [SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
  do not validate passwords when the hash is null
  [DI] fix resolving bindings for named TypedReference
  [DI] Fix making the container path-independent when the app is in /app
  Allow copy instead of symlink for ./link script
  [FrameworkBundle] resolve service locators in `debug:*` commands
  bumped Symfony version to 4.3.10
  updated VERSION for 4.3.9
  updated CHANGELOG for 4.3.9
  bumped Symfony version to 3.4.37
  updated VERSION for 3.4.36
  update CONTRIBUTORS for 3.4.36
  updated CHANGELOG for 3.4.36
  Add test on ServerLogHandler

Author: xabbuh

Core/Authentication/Provider/DaoAuthenticationProvider.php

@@ -55,6 +55,10 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
                 throw new BadCredentialsException('The presented password cannot be empty.');
             }
 
+            if (null === $user->getPassword()) {
+                throw new BadCredentialsException('The presented password is invalid.');
+            }
+
             $encoder = $this->encoderFactory->getEncoder($user);
 
             if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {

Core/Encoder/UserPasswordEncoder.php

@@ -42,6 +42,10 @@ public function encodePassword(UserInterface $user, $plainPassword)
      */
     public function isPasswordValid(UserInterface $user, $raw)
     {
+        if (null === $user->getPassword()) {
+            return false;
+        }
+
         $encoder = $this->encoderFactory->getEncoder($user);
 
         return $encoder->isPasswordValid($user->getPassword(), $raw, $user->getSalt());

Core/Tests/Authentication/Provider/DaoAuthenticationProviderTest.php

@@ -152,7 +152,7 @@ public function testCheckAuthenticationWhenCredentialsAre0()
 
         $method->invoke(
             $provider,
-            $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(),
+            new User('username', 'password'),
             $token
         );
     }
@@ -176,7 +176,7 @@ public function testCheckAuthenticationWhenCredentialsAreNotValid()
               ->willReturn('foo')
         ;
 
-        $method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
+        $method->invoke($provider, new User('username', 'password'), $token);
     }
 
     public function testCheckAuthenticationDoesNotReauthenticateWhenPasswordHasChanged()
@@ -248,7 +248,7 @@ public function testCheckAuthentication()
               ->willReturn('foo')
         ;
 
-        $method->invoke($provider, $this->getMockBuilder('Symfony\\Component\\Security\\Core\\User\\UserInterface')->getMock(), $token);
+        $method->invoke($provider, new User('username', 'password'), $token);
     }
 
     public function testPasswordUpgrades()

Core/Validator/Constraints/UserPasswordValidator.php

@@ -53,7 +53,7 @@ public function validate($password, Constraint $constraint)
 
         $encoder = $this->encoderFactory->getEncoder($user);
 
-        if (!$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
+        if (null === $user->getPassword() || !$encoder->isPasswordValid($user->getPassword(), $password, $user->getSalt())) {
             $this->context->addViolation($constraint->message);
         }
     }