From 90e0778bcd94d3ef120a587d77d6b50488c94695 Mon Sep 17 00:00:00 2001
From: Stefan Giehl <stefan@matomo.org>
Date: Mon, 17 Oct 2022 00:49:16 +0200
Subject: Ensure password check can only throw wrong password error (#19861)

---
 core/Plugin/API.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/core/Plugin/API.php b/core/Plugin/API.php
index a5aa8d73ee..275bbf0ed4 100644
--- a/core/Plugin/API.php
+++ b/core/Plugin/API.php
@@ -131,7 +131,17 @@ abstract class API
 
         $passwordConfirmation = Common::unsanitizeInputValue($passwordConfirmation);
 
-        if (!StaticContainer::get(PasswordVerifier::class)->isPasswordCorrect($loginCurrentUser, $passwordConfirmation)) {
+        try {
+            if (
+                !StaticContainer::get(PasswordVerifier::class)->isPasswordCorrect(
+                    $loginCurrentUser,
+                    $passwordConfirmation
+                )
+            ) {
+                throw new Exception(Piwik::translate('UsersManager_CurrentPasswordNotCorrect'));
+            }
+        } catch (Exception $e) {
+            // in case of any error (e.g. the provided password is too weak)
             throw new Exception(Piwik::translate('UsersManager_CurrentPasswordNotCorrect'));
         }
     }
-- 
cgit v1.2.3