Merge branch '2.8' into 3.0
* 2.8: limited the maximum length of a submitted username
This commit is contained in:
commit
19b8d9e801
@ -21,4 +21,5 @@ final class Security
|
|||||||
const ACCESS_DENIED_ERROR = '_security.403_error';
|
const ACCESS_DENIED_ERROR = '_security.403_error';
|
||||||
const AUTHENTICATION_ERROR = '_security.last_error';
|
const AUTHENTICATION_ERROR = '_security.last_error';
|
||||||
const LAST_USERNAME = '_security.last_username';
|
const LAST_USERNAME = '_security.last_username';
|
||||||
|
const MAX_USERNAME_LENGTH = 4096;
|
||||||
}
|
}
|
||||||
|
@ -21,6 +21,7 @@ use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerI
|
|||||||
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
|
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
|
||||||
use Symfony\Component\Security\Http\Authentication\SimpleFormAuthenticatorInterface;
|
use Symfony\Component\Security\Http\Authentication\SimpleFormAuthenticatorInterface;
|
||||||
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
||||||
|
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
|
||||||
use Symfony\Component\Security\Core\Security;
|
use Symfony\Component\Security\Core\Security;
|
||||||
use Symfony\Component\Security\Http\HttpUtils;
|
use Symfony\Component\Security\Http\HttpUtils;
|
||||||
use Symfony\Component\Security\Http\ParameterBagUtils;
|
use Symfony\Component\Security\Http\ParameterBagUtils;
|
||||||
@ -107,6 +108,10 @@ class SimpleFormAuthenticationListener extends AbstractAuthenticationListener
|
|||||||
$password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
|
$password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
|
||||||
|
throw new BadCredentialsException('Invalid username.');
|
||||||
|
}
|
||||||
|
|
||||||
$request->getSession()->set(Security::LAST_USERNAME, $username);
|
$request->getSession()->set(Security::LAST_USERNAME, $username);
|
||||||
|
|
||||||
$token = $this->simpleAuthenticator->createToken($request, $username, $password, $this->providerKey);
|
$token = $this->simpleAuthenticator->createToken($request, $username, $password, $this->providerKey);
|
||||||
|
@ -23,6 +23,7 @@ use Symfony\Component\Security\Http\HttpUtils;
|
|||||||
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
|
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
|
||||||
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
||||||
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
|
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
|
||||||
|
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
|
||||||
use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
|
use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
|
||||||
use Symfony\Component\Security\Core\Security;
|
use Symfony\Component\Security\Core\Security;
|
||||||
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
|
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
|
||||||
@ -83,6 +84,10 @@ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationL
|
|||||||
$password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
|
$password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
|
||||||
|
throw new BadCredentialsException('Invalid username.');
|
||||||
|
}
|
||||||
|
|
||||||
$request->getSession()->set(Security::LAST_USERNAME, $username);
|
$request->getSession()->set(Security::LAST_USERNAME, $username);
|
||||||
|
|
||||||
return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey));
|
return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey));
|
||||||
|
@ -0,0 +1,78 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This file is part of the Symfony package.
|
||||||
|
*
|
||||||
|
* (c) Fabien Potencier <fabien@symfony.com>
|
||||||
|
*
|
||||||
|
* For the full copyright and license information, please view the LICENSE
|
||||||
|
* file that was distributed with this source code.
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace Symfony\Component\Security\Tests\Http\Firewall;
|
||||||
|
|
||||||
|
use Symfony\Component\HttpFoundation\Request;
|
||||||
|
use Symfony\Component\HttpFoundation\Response;
|
||||||
|
use Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener;
|
||||||
|
use Symfony\Component\Security\Core\Security;
|
||||||
|
|
||||||
|
class UsernamePasswordFormAuthenticationListenerTest extends \PHPUnit_Framework_TestCase
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* @dataProvider getUsernameForLength
|
||||||
|
*/
|
||||||
|
public function testHandleWhenUsernameLength($username, $ok)
|
||||||
|
{
|
||||||
|
$request = Request::create('/login_check', 'POST', array('_username' => $username));
|
||||||
|
$request->setSession($this->getMock('Symfony\Component\HttpFoundation\Session\SessionInterface'));
|
||||||
|
|
||||||
|
$httpUtils = $this->getMock('Symfony\Component\Security\Http\HttpUtils');
|
||||||
|
$httpUtils
|
||||||
|
->expects($this->any())
|
||||||
|
->method('checkRequestPath')
|
||||||
|
->will($this->returnValue(true))
|
||||||
|
;
|
||||||
|
|
||||||
|
$failureHandler = $this->getMock('Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface');
|
||||||
|
$failureHandler
|
||||||
|
->expects($ok ? $this->never() : $this->once())
|
||||||
|
->method('onAuthenticationFailure')
|
||||||
|
->will($this->returnValue(new Response()))
|
||||||
|
;
|
||||||
|
|
||||||
|
$authenticationManager = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager')->disableOriginalConstructor()->getMock();
|
||||||
|
$authenticationManager
|
||||||
|
->expects($ok ? $this->once() : $this->never())
|
||||||
|
->method('authenticate')
|
||||||
|
->will($this->returnValue(new Response()))
|
||||||
|
;
|
||||||
|
|
||||||
|
$listener = new UsernamePasswordFormAuthenticationListener(
|
||||||
|
$this->getMock('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface'),
|
||||||
|
$authenticationManager,
|
||||||
|
$this->getMock('Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface'),
|
||||||
|
$httpUtils,
|
||||||
|
'TheProviderKey',
|
||||||
|
$this->getMock('Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface'),
|
||||||
|
$failureHandler,
|
||||||
|
array('require_previous_session' => false)
|
||||||
|
);
|
||||||
|
|
||||||
|
$event = $this->getMock('Symfony\Component\HttpKernel\Event\GetResponseEvent', array(), array(), '', false);
|
||||||
|
$event
|
||||||
|
->expects($this->any())
|
||||||
|
->method('getRequest')
|
||||||
|
->will($this->returnValue($request))
|
||||||
|
;
|
||||||
|
|
||||||
|
$listener->handle($event);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function getUsernameForLength()
|
||||||
|
{
|
||||||
|
return array(
|
||||||
|
array(str_repeat('x', Security::MAX_USERNAME_LENGTH + 1), false),
|
||||||
|
array(str_repeat('x', Security::MAX_USERNAME_LENGTH - 1), true),
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
Reference in New Issue
Block a user