diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Security] Fix fatal error on non string username

Browse Source
This commit is contained in:
Robin Chalas 2018-01-02 16:28:00 +01:00
parent 28485afd45
commit 8f095683d0
3 changed files with 51 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php
View File

@ -15,6 +15,7 @@ use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderAdapter; use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderAdapter;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface; use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\Security\Core\Exception\InvalidArgumentException; use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException; use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
use Symfony\Component\Security\Csrf\CsrfToken; use Symfony\Component\Security\Csrf\CsrfToken;
@ -107,15 +108,17 @@ class SimpleFormAuthenticationListener extends AbstractAuthenticationListener
} }
} }
if ($this->options['post_only']) { $requestBag = $this->options['post_only'] ? $request->request : $request;
$username = trim($request->request->get($this->options['username_parameter'], null, true)); $username = $requestBag->get($this->options['username_parameter'], null, true);
$password = $request->request->get($this->options['password_parameter'], null, true); $password = $requestBag->get($this->options['password_parameter'], null, true);
} else {
$username = trim($request->get($this->options['username_parameter'], null, true)); if (!\is_string($username) || (\is_object($username) && !\method_exists($username, '__toString'))) {
$password = $request->get($this->options['password_parameter'], null, true); throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
} }
if (strlen($username) > Security::MAX_USERNAME_LENGTH) { $username = trim($username);
if (\strlen($username) > Security::MAX_USERNAME_LENGTH) {
throw new BadCredentialsException('Invalid username.'); throw new BadCredentialsException('Invalid username.');
} }

15
src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
View File

@ -15,6 +15,7 @@ use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderAdapter;
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface; use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
use Psr\Log\LoggerInterface; use Psr\Log\LoggerInterface;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Symfony\Component\Security\Csrf\CsrfToken; use Symfony\Component\Security\Csrf\CsrfToken;
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface; use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface; use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
@ -84,14 +85,16 @@ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationL
} }
} }
if ($this->options['post_only']) { $requestBag = $this->options['post_only'] ? $request->request : $request;
$username = trim($request->request->get($this->options['username_parameter'], null, true)); $username = $requestBag->get($this->options['username_parameter'], null, true);
$password = $request->request->get($this->options['password_parameter'], null, true); $password = $requestBag->get($this->options['password_parameter'], null, true);
} else {
$username = trim($request->get($this->options['username_parameter'], null, true)); if (!\is_string($username) || (\is_object($username) && !\method_exists($username, '__toString'))) {
$password = $request->get($this->options['password_parameter'], null, true); throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
} }
$username = trim($username);
if (strlen($username) > Security::MAX_USERNAME_LENGTH) { if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
throw new BadCredentialsException('Invalid username.'); throw new BadCredentialsException('Invalid username.');
} }

32
src/Symfony/Component/Security/Http/Tests/Firewall/UsernamePasswordFormAuthenticationListenerTest.php
View File

@ -14,8 +14,15 @@ namespace Symfony\Component\Security\Tests\Http\Firewall;
use PHPUnit\Framework\TestCase; use PHPUnit\Framework\TestCase;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationSuccessHandler;
use Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener; use Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener;
use Symfony\Component\Security\Core\SecurityContextInterface; use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Http\HttpUtils;
use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
class UsernamePasswordFormAuthenticationListenerTest extends TestCase class UsernamePasswordFormAuthenticationListenerTest extends TestCase
{ {
@ -69,6 +76,31 @@ class UsernamePasswordFormAuthenticationListenerTest extends TestCase
$listener->handle($event); $listener->handle($event);
} }
/**
* @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
* @expectedExceptionMessage The key "_username" must be a string, "array" given.
*/
public function testHandleNonStringUsername()
{
$request = Request::create('/login_check', 'POST', array('_username' => array()));
$request->setSession($this->getMockBuilder('Symfony\Component\HttpFoundation\Session\SessionInterface')->getMock());
$listener = new UsernamePasswordFormAuthenticationListener(
new TokenStorage(),
$this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface')->getMock(),
new SessionAuthenticationStrategy(SessionAuthenticationStrategy::NONE),
$httpUtils = new HttpUtils(),
'foo',
new DefaultAuthenticationSuccessHandler($httpUtils),
new DefaultAuthenticationFailureHandler($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $httpUtils),
array('require_previous_session' => false)
);
$event = new GetResponseEvent($this->getMockBuilder('Symfony\Component\HttpKernel\HttpKernelInterface')->getMock(), $request, HttpKernelInterface::MASTER_REQUEST);
$listener->handle($event);
}
public function getUsernameForLength() public function getUsernameForLength()
{ {
return array( return array(