Symfony version(s) affected

5.4.10

Description

In the NotCompromisedPassword validator a PHP warning will be thrown if a received line from https://api.pwnedpasswords.com is empty.

This can be seen on this URL: https://api.pwnedpasswords.com/range/072CB (there is an additional line at the end if the source is viewed in the browser - technically there is an additional \r\n at the end of the last result).
This causes a PHP warning (in PHP 8.1) on this line in the NotCompromisedPasswordValidator:

Warning: Undefined array key 1

It does not appear to be a general problem with the API, because other hashes have no empty line at the bottom, f.e. https://api.pwnedpasswords.com/range/7F965

How to reproduce

1. Use the NotCompromisedPassword as a constraint in a form
2. Hardcode the $url to https://api.pwnedpasswords.com/range/072CB
3. PHP warning Undefined array key 1 is shown

Possible Solution

Possible solutions that I've found:

1:
Check for an empty line and skip it in the loop like:

if (empty($line)) {
    continue;
}

2:
Trim \r\n from $result before the loop.

3:
Check for the presence of : before the explode used on the line and skip if it doesn't contain it.

Additional Context

While I think this should also be fixed by pwnedpasswords.com, I think adding this simple check would make the implementation a little bit more robust against changes or errors in the API like this in the future.