diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

bug #34551 [Security] SwitchUser is broken when the User Provider always returns a valid user (tucksaun)

Browse Source 
This PR was merged into the 4.3 branch.

Discussion
----------

[Security] SwitchUser is broken when the User Provider always returns a valid user

| Q             | A
| ------------- | ---
| Branch?       | 4.3
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | n/a
| License       | MIT
| Doc PR        | n/a

Since bcfc282d42, if a UserProvider always returns a valid User object (which can happen in some OAuth workflow), switching user is not possible anymore as we hit the `LogicException`.

This patch should be safe as the timing-attack prevention is kept.

Commits
-------

2bf6cd2eea [Security] Fix SwitchUser is broken when the User Provider always returns a valid user
This commit is contained in:
Fabien Potencier 2019-11-24 18:37:20 +01:00
commit 32e1be81bf
1 changed files with 0 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
View File

@ -153,7 +153,6 @@ class SwitchUserListener implements ListenerInterface
try {
$this->provider->loadUserByUsername($nonExistentUsername);
throw new \LogicException('AuthenticationException expected');
} catch (AuthenticationException $e) {
}
} catch (AuthenticationException $e) {