encryptWithUserSettings assumes there is a salt

[lekoala]

Module version(s) affected

5.x

Description

I've encountered this issue while using https://github.com/emteknetnz/silverstripe-rest-api

My admin user doesn't have a password and no salt (but there is an PasswordEncryption field with a value)

If there is an attempt to encrypt with user settings (ie: an api token), the framework "assumes" there is a salt, while there is no guarantee there is one. Since php 8, this is breaking the blowfish encryption (a salt is required)

https://github.com/emteknetnz/silverstripe-rest-api/blob/924cd948c395f3fbf26c039af3f50f64a98b383d/src/Controllers/RestApiEndpoint.php#L153

Maybe it's a misuse of the method, but at any rate, I think that the framework should not assume anything: if the method is callable, it should work or throw a proper exception

How to reproduce

On a Member without a password, but with a PasswordEncryption Call $member->encryptWithUserSettings('somestring') You get a blowfish exception because it could not encrypt with an empty salt

Possible Solution

• a salt is generated if needed
• a proper exception is thrown

Additional Context

No response

Validations

• [X] Check that there isn't already an issue that reports the same bug
• [X] Double check that your reproduction steps work in a fresh installation of silverstripe/installer (with any code examples you've provided)

PRs

• https://github.com/silverstripe/silverstripe-framework/pull/11158

[GuySartorelli]

PR merged. Will be automatically tagged by GitHub actions.