[Security] fixes a bug where authentication errors might have leaked confidential information
This commit is contained in:
parent
5c7fe8f866
commit
9e6fc0a11e
@ -16,7 +16,7 @@ namespace Symfony\Component\Security\Core\Exception;
|
|||||||
*
|
*
|
||||||
* @author Fabien Potencier <fabien.potencier@symfony-project.com>
|
* @author Fabien Potencier <fabien.potencier@symfony-project.com>
|
||||||
*/
|
*/
|
||||||
class AuthenticationException extends \RuntimeException
|
class AuthenticationException extends \RuntimeException implements \Serializable
|
||||||
{
|
{
|
||||||
protected $extraInformation;
|
protected $extraInformation;
|
||||||
|
|
||||||
@ -36,4 +36,26 @@ class AuthenticationException extends \RuntimeException
|
|||||||
{
|
{
|
||||||
$this->extraInformation = $extraInformation;
|
$this->extraInformation = $extraInformation;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function serialize()
|
||||||
|
{
|
||||||
|
return serialize(array(
|
||||||
|
$this->extraInformation,
|
||||||
|
$this->code,
|
||||||
|
$this->message,
|
||||||
|
$this->file,
|
||||||
|
$this->line,
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
|
public function unserialize($str)
|
||||||
|
{
|
||||||
|
list(
|
||||||
|
$this->extraInformation,
|
||||||
|
$this->code,
|
||||||
|
$this->message,
|
||||||
|
$this->file,
|
||||||
|
$this->line
|
||||||
|
) = unserialize($str);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
namespace Symfony\Component\Security\Http\Authentication;
|
namespace Symfony\Component\Security\Http\Authentication;
|
||||||
|
|
||||||
|
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
||||||
use Symfony\Component\EventDispatcher\EventInterface;
|
use Symfony\Component\EventDispatcher\EventInterface;
|
||||||
use Symfony\Component\HttpFoundation\Request;
|
use Symfony\Component\HttpFoundation\Request;
|
||||||
|
|
||||||
@ -21,12 +22,12 @@ interface AuthenticationFailureHandlerInterface
|
|||||||
* called by authentication listeners inheriting from
|
* called by authentication listeners inheriting from
|
||||||
* AbstractAuthenticationListener.
|
* AbstractAuthenticationListener.
|
||||||
*
|
*
|
||||||
* @param EventInterface $event the "core.security" event, this event always
|
* @param EventInterface $event the "core.security" event, this event always
|
||||||
* has the kernel as target
|
* has the kernel as target
|
||||||
* @param Request $request
|
* @param Request $request
|
||||||
* @param \Exception $exception
|
* @param AuthenticationException $exception
|
||||||
*
|
*
|
||||||
* @return Response the response to return
|
* @return Response the response to return
|
||||||
*/
|
*/
|
||||||
function onAuthenticationFailure(EventInterface $event, Request $request, \Exception $exception);
|
function onAuthenticationFailure(EventInterface $event, Request $request, AuthenticationException $exception);
|
||||||
}
|
}
|
@ -12,7 +12,6 @@
|
|||||||
namespace Symfony\Component\Security\Http\Firewall;
|
namespace Symfony\Component\Security\Http\Firewall;
|
||||||
|
|
||||||
use Symfony\Component\EventDispatcher\Event;
|
use Symfony\Component\EventDispatcher\Event;
|
||||||
|
|
||||||
use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
|
use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
|
||||||
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
|
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
|
||||||
use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
|
use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
|
||||||
@ -173,7 +172,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
|
|||||||
return $this->options['check_path'] === $request->getPathInfo();
|
return $this->options['check_path'] === $request->getPathInfo();
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function onFailure($event, Request $request, \Exception $failed)
|
protected function onFailure($event, Request $request, AuthenticationException $failed)
|
||||||
{
|
{
|
||||||
if (null !== $this->logger) {
|
if (null !== $this->logger) {
|
||||||
$this->logger->debug(sprintf('Authentication request failed: %s', $failed->getMessage()));
|
$this->logger->debug(sprintf('Authentication request failed: %s', $failed->getMessage()));
|
||||||
@ -195,7 +194,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
|
|||||||
}
|
}
|
||||||
|
|
||||||
$subRequest = Request::create($this->options['failure_path']);
|
$subRequest = Request::create($this->options['failure_path']);
|
||||||
$subRequest->attributes->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed->getMessage());
|
$subRequest->attributes->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed);
|
||||||
|
|
||||||
return $event->getSubject()->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
|
return $event->getSubject()->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
|
||||||
} else {
|
} else {
|
||||||
@ -203,7 +202,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
|
|||||||
$this->logger->debug(sprintf('Redirecting to %s', $this->options['failure_path']));
|
$this->logger->debug(sprintf('Redirecting to %s', $this->options['failure_path']));
|
||||||
}
|
}
|
||||||
|
|
||||||
$request->getSession()->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed->getMessage());
|
$request->getSession()->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed);
|
||||||
|
|
||||||
$response = new Response();
|
$response = new Response();
|
||||||
$response->setRedirect(0 !== strpos($this->options['failure_path'], 'http') ? $request->getUriForPath($this->options['failure_path']) : $this->options['failure_path'], 302);
|
$response->setRedirect(0 !== strpos($this->options['failure_path'], 'http') ? $request->getUriForPath($this->options['failure_path']) : $this->options['failure_path'], 302);
|
||||||
|
Reference in New Issue
Block a user