security #cve-2021-21424 [Security\Core] Fix user enumeration via response body on invalid credentials (chalasr)
This PR was merged into the 3.4 branch.
This commit is contained in:
commit
1ad13fec2e
|
@ -84,8 +84,8 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
|
|||
$this->userChecker->checkPreAuth($user);
|
||||
$this->checkAuthentication($user, $token);
|
||||
$this->userChecker->checkPostAuth($user);
|
||||
} catch (AccountStatusException $e) {
|
||||
if ($this->hideUserNotFoundExceptions) {
|
||||
} catch (AuthenticationException $e) {
|
||||
if ($this->hideUserNotFoundExceptions && ($e instanceof AccountStatusException || $e instanceof BadCredentialsException)) {
|
||||
throw new BadCredentialsException('Bad credentials.', 0, $e);
|
||||
}
|
||||
|
||||
|
|
|
@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Exception\CredentialsExpiredException;
|
|||
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
|
||||
use Symfony\Component\Security\Core\Role\Role;
|
||||
use Symfony\Component\Security\Core\Role\SwitchUserRole;
|
||||
use Symfony\Component\Security\Core\User\UserInterface;
|
||||
|
||||
class UserAuthenticationProviderTest extends TestCase
|
||||
{
|
||||
|
@ -62,6 +63,24 @@ class UserAuthenticationProviderTest extends TestCase
|
|||
$provider->authenticate($this->getSupportedToken());
|
||||
}
|
||||
|
||||
public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
|
||||
{
|
||||
$provider = $this->getProvider();
|
||||
$provider->expects($this->once())
|
||||
->method('retrieveUser')
|
||||
->willReturn($this->createMock(UserInterface::class))
|
||||
;
|
||||
$provider->expects($this->once())
|
||||
->method('checkAuthentication')
|
||||
->willThrowException(new BadCredentialsException())
|
||||
;
|
||||
|
||||
$this->expectException(BadCredentialsException::class);
|
||||
$this->expectExceptionMessage('Bad credentials.');
|
||||
|
||||
$provider->authenticate($this->getSupportedToken());
|
||||
}
|
||||
|
||||
/**
|
||||
* @group legacy
|
||||
*/
|
||||
|
|
Reference in New Issue