diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug #36223 [Security][Http][SwitchUserListener] Ignore all non existent username protection errors (fancyweb)

Browse Source 
This PR was merged into the 4.4 branch.

Discussion
----------

[Security][Http][SwitchUserListener] Ignore all non existent username protection errors

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | https://github.com/symfony/symfony/issues/36174
| License       | MIT
| Doc PR        | -

Since we generate the non existent username blindly, it can lead to Doctrine exceptions or any other exception.

We can catch all exceptions here but I guess it reduces the protection since the SQL query was not executed?

Alternative: we can only catch Doctrine DriverException (in addition to the existing AuthenticationException) and only silent the reported error codes?

Commits
-------

42311d5c29 [Security][Http][SwitchUserListener] Ignore all non existent username protection errors
This commit is contained in:
Nicolas Grekas 2020-04-01 11:28:26 +02:00
commit 15edfd39d4
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
View File

@ -168,7 +168,7 @@ class SwitchUserListener extends AbstractListener implements ListenerInterface
try {
$this->provider->loadUserByUsername($nonExistentUsername);
} catch (AuthenticationException $e) {
} catch (\Exception $e) {
}
} catch (AuthenticationException $e) {
$this->provider->loadUserByUsername($currentUsername);