security #cve-2021-21424 [Security\Core] Fix user enumeration via response body on invalid credentials (chalasr)
This PR was merged into the 3.4 branch.
This commit is contained in:
commit
1ad13fec2e
@ -84,8 +84,8 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
|
|||||||
$this->userChecker->checkPreAuth($user);
|
$this->userChecker->checkPreAuth($user);
|
||||||
$this->checkAuthentication($user, $token);
|
$this->checkAuthentication($user, $token);
|
||||||
$this->userChecker->checkPostAuth($user);
|
$this->userChecker->checkPostAuth($user);
|
||||||
} catch (AccountStatusException $e) {
|
} catch (AuthenticationException $e) {
|
||||||
if ($this->hideUserNotFoundExceptions) {
|
if ($this->hideUserNotFoundExceptions && ($e instanceof AccountStatusException || $e instanceof BadCredentialsException)) {
|
||||||
throw new BadCredentialsException('Bad credentials.', 0, $e);
|
throw new BadCredentialsException('Bad credentials.', 0, $e);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Exception\CredentialsExpiredException;
|
|||||||
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
|
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
|
||||||
use Symfony\Component\Security\Core\Role\Role;
|
use Symfony\Component\Security\Core\Role\Role;
|
||||||
use Symfony\Component\Security\Core\Role\SwitchUserRole;
|
use Symfony\Component\Security\Core\Role\SwitchUserRole;
|
||||||
|
use Symfony\Component\Security\Core\User\UserInterface;
|
||||||
|
|
||||||
class UserAuthenticationProviderTest extends TestCase
|
class UserAuthenticationProviderTest extends TestCase
|
||||||
{
|
{
|
||||||
@ -62,6 +63,24 @@ class UserAuthenticationProviderTest extends TestCase
|
|||||||
$provider->authenticate($this->getSupportedToken());
|
$provider->authenticate($this->getSupportedToken());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
|
||||||
|
{
|
||||||
|
$provider = $this->getProvider();
|
||||||
|
$provider->expects($this->once())
|
||||||
|
->method('retrieveUser')
|
||||||
|
->willReturn($this->createMock(UserInterface::class))
|
||||||
|
;
|
||||||
|
$provider->expects($this->once())
|
||||||
|
->method('checkAuthentication')
|
||||||
|
->willThrowException(new BadCredentialsException())
|
||||||
|
;
|
||||||
|
|
||||||
|
$this->expectException(BadCredentialsException::class);
|
||||||
|
$this->expectExceptionMessage('Bad credentials.');
|
||||||
|
|
||||||
|
$provider->authenticate($this->getSupportedToken());
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @group legacy
|
* @group legacy
|
||||||
*/
|
*/
|
||||||
|
Reference in New Issue
Block a user