[Security] fixes a bug where authentication errors might have leaked confidential information
This commit is contained in:
Johannes Schmitt
Fabien Potencier
parent
5c7fe8f866
commit
9e6fc0a11e
@ -16,7 +16,7 @@ namespace Symfony\Component\Security\Core\Exception;
|
||||
*
|
||||
* @author Fabien Potencier <fabien.potencier@symfony-project.com>
|
||||
*/
|
||||
class AuthenticationException extends \RuntimeException
|
||||
class AuthenticationException extends \RuntimeException implements \Serializable
|
||||
{
|
||||
protected $extraInformation;
|
||||
|
||||
@ -36,4 +36,26 @@ class AuthenticationException extends \RuntimeException
|
||||
{
|
||||
$this->extraInformation = $extraInformation;
|
||||
}
|
||||
|
||||
public function serialize()
|
||||
{
|
||||
return serialize(array(
|
||||
$this->extraInformation,
|
||||
$this->code,
|
||||
$this->message,
|
||||
$this->file,
|
||||
$this->line,
|
||||
));
|
||||
}
|
||||
|
||||
public function unserialize($str)
|
||||
{
|
||||
list(
|
||||
$this->extraInformation,
|
||||
$this->code,
|
||||
$this->message,
|
||||
$this->file,
|
||||
$this->line
|
||||
) = unserialize($str);
|
||||
}
|
||||
}
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace Symfony\Component\Security\Http\Authentication;
|
||||
|
||||
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
||||
use Symfony\Component\EventDispatcher\EventInterface;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
||||
@ -21,12 +22,12 @@ interface AuthenticationFailureHandlerInterface
|
||||
* called by authentication listeners inheriting from
|
||||
* AbstractAuthenticationListener.
|
||||
*
|
||||
* @param EventInterface $event the "core.security" event, this event always
|
||||
* has the kernel as target
|
||||
* @param Request $request
|
||||
* @param \Exception $exception
|
||||
* @param EventInterface $event the "core.security" event, this event always
|
||||
* has the kernel as target
|
||||
* @param Request $request
|
||||
* @param AuthenticationException $exception
|
||||
*
|
||||
* @return Response the response to return
|
||||
*/
|
||||
function onAuthenticationFailure(EventInterface $event, Request $request, \Exception $exception);
|
||||
function onAuthenticationFailure(EventInterface $event, Request $request, AuthenticationException $exception);
|
||||
}
|
||||
@ -12,7 +12,6 @@
|
||||
namespace Symfony\Component\Security\Http\Firewall;
|
||||
|
||||
use Symfony\Component\EventDispatcher\Event;
|
||||
|
||||
use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
|
||||
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
|
||||
use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
|
||||
@ -173,7 +172,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
|
||||
return $this->options['check_path'] === $request->getPathInfo();
|
||||
}
|
||||
|
||||
protected function onFailure($event, Request $request, \Exception $failed)
|
||||
protected function onFailure($event, Request $request, AuthenticationException $failed)
|
||||
{
|
||||
if (null !== $this->logger) {
|
||||
$this->logger->debug(sprintf('Authentication request failed: %s', $failed->getMessage()));
|
||||
@ -195,7 +194,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
|
||||
}
|
||||
|
||||
$subRequest = Request::create($this->options['failure_path']);
|
||||
$subRequest->attributes->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed->getMessage());
|
||||
$subRequest->attributes->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed);
|
||||
|
||||
return $event->getSubject()->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
|
||||
} else {
|
||||
@ -203,7 +202,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
|
||||
$this->logger->debug(sprintf('Redirecting to %s', $this->options['failure_path']));
|
||||
}
|
||||
|
||||
$request->getSession()->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed->getMessage());
|
||||
$request->getSession()->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed);
|
||||
|
||||
$response = new Response();
|
||||
$response->setRedirect(0 !== strpos($this->options['failure_path'], 'http') ? $request->getUriForPath($this->options['failure_path']) : $this->options['failure_path'], 302);
|
||||
|
||||
Reference in New Issue
Block a user