Exception if password input is not a string

[bonroyage]

• Fortify Version: 1.7.5
• Laravel Version: 8.24.0
• PHP Version: 7.4.1

Description:

When providing a non-scalar input for the password field (e.g. an array), the Password rule will throw an exception for mb_* and preg_match functions:

• mb_strlen() expects parameter 1 to be string, array given (without additional requirements)
• mb_strtolower() expects parameter 1 to be string, array given (with requireUppercase)
• preg_match() expects parameter 2 to be string, array given (with requireNumeric and requireSpecialCharacter)

Steps To Reproduce:

Exception:

Route::get('validate', function () {
    $input = ['password' => ['foo' => 'bar']];

    $validator = \Illuminate\Support\Facades\Validator::make($input, [
        'password' => ['required', 'string', (new \Laravel\Fortify\Rules\Password())->requireSpecialCharacter()],
    ]);

    $validator->passes();

    return $validator->failed();
});

Possible solutions:

Option 1: add bail before the Password rule

Option 2: check if the value is a string in the Password rule class (it's a direct copy of the string rule). I'd be happy to put this in a PR if you'd like to go this route.

public function passes($attribute, $value)
{
    if(! is_string($value)) { // add this condition
        return false;
    }

    if ($this->requireUppercase && Str::lower($value) === $value) {
        return false;
    }

    if ($this->requireNumeric && ! preg_match('/[0-9]/', $value)) {
        return false;
    }

    if ($this->requireSpecialCharacter && ! preg_match('/[\W_]/', $value)) {
        return false;
    }

    return Str::length($value) >= $this->length;
}

[driesvints]

Thanks. Sent in a PR here: https://github.com/laravel/fortify/pull/211