diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security #cve-2021-21424 [Security\Core] Fix user enumeration via response body on invalid credentials (chalasr) 

This PR was merged into the 3.4 branch.
This commit is contained in:
Nicolas Grekas 2021-05-19 12:32:04 +02:00
parent d0d17db1c5 e85070088e
commit 1ad13fec2e
2 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php
View File

@ -84,8 +84,8 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
$this->userChecker->checkPreAuth($user);
$this->checkAuthentication($user, $token);
$this->userChecker->checkPostAuth($user);
} catch (AccountStatusException $e) {
if ($this->hideUserNotFoundExceptions) {
} catch (AuthenticationException $e) {
if ($this->hideUserNotFoundExceptions && ($e instanceof AccountStatusException || $e instanceof BadCredentialsException)) {
throw new BadCredentialsException('Bad credentials.', 0, $e);
}

19
src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
View File

@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Exception\CredentialsExpiredException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\Role\Role;
use Symfony\Component\Security\Core\Role\SwitchUserRole;
use Symfony\Component\Security\Core\User\UserInterface;
class UserAuthenticationProviderTest extends TestCase
{
@ -62,6 +63,24 @@ class UserAuthenticationProviderTest extends TestCase
$provider->authenticate($this->getSupportedToken());
}
public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
{
$provider = $this->getProvider();
$provider->expects($this->once())
->method('retrieveUser')
->willReturn($this->createMock(UserInterface::class))
;
$provider->expects($this->once())
->method('checkAuthentication')
->willThrowException(new BadCredentialsException())
;
$this->expectException(BadCredentialsException::class);
$this->expectExceptionMessage('Bad credentials.');
$provider->authenticate($this->getSupportedToken());
}
/**
* @group legacy
*/