bug #30347 [Security] Change FormAuthenticator if condition (PReimers)
This PR was squashed before being merged into the 3.4 branch (closes #30347).
Discussion
----------
[Security] Change FormAuthenticator if condition
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #30341
| License | MIT
| Doc PR | -
I changed the if condition in `SimpleFormAuthenticationListener` and `UsernamePasswordFormAuthenticationListener` based on the solution provided by @nikic in issue #30341
#OpenSourceFriday
Commits
-------
67ae121b2e
[Security] Change FormAuthenticator if condition
This commit is contained in:
commit
1aac865da7
@ -107,7 +107,7 @@ class SimpleFormAuthenticationListener extends AbstractAuthenticationListener
|
|||||||
$password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
|
$password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!\is_string($username) || (\is_object($username) && !\method_exists($username, '__toString'))) {
|
if (!\is_string($username) && (!\is_object($username) || !\method_exists($username, '__toString'))) {
|
||||||
throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
|
throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -85,7 +85,7 @@ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationL
|
|||||||
$password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
|
$password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!\is_string($username) || (\is_object($username) && !\method_exists($username, '__toString'))) {
|
if (!\is_string($username) && (!\is_object($username) || !\method_exists($username, '__toString'))) {
|
||||||
throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
|
throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -81,7 +81,7 @@ class UsernamePasswordFormAuthenticationListenerTest extends TestCase
|
|||||||
* @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
|
* @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
|
||||||
* @expectedExceptionMessage The key "_username" must be a string, "array" given.
|
* @expectedExceptionMessage The key "_username" must be a string, "array" given.
|
||||||
*/
|
*/
|
||||||
public function testHandleNonStringUsername($postOnly)
|
public function testHandleNonStringUsernameWithArray($postOnly)
|
||||||
{
|
{
|
||||||
$request = Request::create('/login_check', 'POST', ['_username' => []]);
|
$request = Request::create('/login_check', 'POST', ['_username' => []]);
|
||||||
$request->setSession($this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock());
|
$request->setSession($this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock());
|
||||||
@ -99,6 +99,79 @@ class UsernamePasswordFormAuthenticationListenerTest extends TestCase
|
|||||||
$listener->handle($event);
|
$listener->handle($event);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider postOnlyDataProvider
|
||||||
|
* @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
|
||||||
|
* @expectedExceptionMessage The key "_username" must be a string, "integer" given.
|
||||||
|
*/
|
||||||
|
public function testHandleNonStringUsernameWithInt($postOnly)
|
||||||
|
{
|
||||||
|
$request = Request::create('/login_check', 'POST', ['_username' => 42]);
|
||||||
|
$request->setSession($this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock());
|
||||||
|
$listener = new UsernamePasswordFormAuthenticationListener(
|
||||||
|
new TokenStorage(),
|
||||||
|
$this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
|
||||||
|
new SessionAuthenticationStrategy(SessionAuthenticationStrategy::NONE),
|
||||||
|
$httpUtils = new HttpUtils(),
|
||||||
|
'foo',
|
||||||
|
new DefaultAuthenticationSuccessHandler($httpUtils),
|
||||||
|
new DefaultAuthenticationFailureHandler($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $httpUtils),
|
||||||
|
['require_previous_session' => false, 'post_only' => $postOnly]
|
||||||
|
);
|
||||||
|
$event = new GetResponseEvent($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $request, HttpKernelInterface::MASTER_REQUEST);
|
||||||
|
$listener->handle($event);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider postOnlyDataProvider
|
||||||
|
* @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
|
||||||
|
* @expectedExceptionMessage The key "_username" must be a string, "object" given.
|
||||||
|
*/
|
||||||
|
public function testHandleNonStringUsernameWithObject($postOnly)
|
||||||
|
{
|
||||||
|
$request = Request::create('/login_check', 'POST', ['_username' => new \stdClass()]);
|
||||||
|
$request->setSession($this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock());
|
||||||
|
$listener = new UsernamePasswordFormAuthenticationListener(
|
||||||
|
new TokenStorage(),
|
||||||
|
$this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
|
||||||
|
new SessionAuthenticationStrategy(SessionAuthenticationStrategy::NONE),
|
||||||
|
$httpUtils = new HttpUtils(),
|
||||||
|
'foo',
|
||||||
|
new DefaultAuthenticationSuccessHandler($httpUtils),
|
||||||
|
new DefaultAuthenticationFailureHandler($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $httpUtils),
|
||||||
|
['require_previous_session' => false, 'post_only' => $postOnly]
|
||||||
|
);
|
||||||
|
$event = new GetResponseEvent($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $request, HttpKernelInterface::MASTER_REQUEST);
|
||||||
|
$listener->handle($event);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider postOnlyDataProvider
|
||||||
|
*/
|
||||||
|
public function testHandleNonStringUsernameWith__toString($postOnly)
|
||||||
|
{
|
||||||
|
$usernameClass = $this->getMockBuilder(DummyUserClass::class)->getMock();
|
||||||
|
$usernameClass
|
||||||
|
->expects($this->atLeastOnce())
|
||||||
|
->method('__toString')
|
||||||
|
->will($this->returnValue('someUsername'));
|
||||||
|
|
||||||
|
$request = Request::create('/login_check', 'POST', ['_username' => $usernameClass]);
|
||||||
|
$request->setSession($this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock());
|
||||||
|
$listener = new UsernamePasswordFormAuthenticationListener(
|
||||||
|
new TokenStorage(),
|
||||||
|
$this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
|
||||||
|
new SessionAuthenticationStrategy(SessionAuthenticationStrategy::NONE),
|
||||||
|
$httpUtils = new HttpUtils(),
|
||||||
|
'foo',
|
||||||
|
new DefaultAuthenticationSuccessHandler($httpUtils),
|
||||||
|
new DefaultAuthenticationFailureHandler($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $httpUtils),
|
||||||
|
['require_previous_session' => false, 'post_only' => $postOnly]
|
||||||
|
);
|
||||||
|
$event = new GetResponseEvent($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $request, HttpKernelInterface::MASTER_REQUEST);
|
||||||
|
$listener->handle($event);
|
||||||
|
}
|
||||||
|
|
||||||
public function postOnlyDataProvider()
|
public function postOnlyDataProvider()
|
||||||
{
|
{
|
||||||
return [
|
return [
|
||||||
@ -115,3 +188,11 @@ class UsernamePasswordFormAuthenticationListenerTest extends TestCase
|
|||||||
];
|
];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
class DummyUserClass
|
||||||
|
{
|
||||||
|
public function __toString()
|
||||||
|
{
|
||||||
|
return '';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
Reference in New Issue
Block a user