diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Security] fixes a bug where authentication errors might have leaked confidential information

Browse Source
This commit is contained in:
Johannes Schmitt 2011-02-14 18:06:20 +01:00 committed by Fabien Potencier
parent 5c7fe8f866
commit 9e6fc0a11e
3 changed files with 32 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/Symfony/Component/Security/Core/Exception/AuthenticationException.php
View File

@ -16,7 +16,7 @@ namespace Symfony\Component\Security\Core\Exception;
* *
* @author Fabien Potencier <fabien.potencier@symfony-project.com> * @author Fabien Potencier <fabien.potencier@symfony-project.com>
*/ */
class AuthenticationException extends \RuntimeException class AuthenticationException extends \RuntimeException implements \Serializable
{ {
protected $extraInformation; protected $extraInformation;
@ -36,4 +36,26 @@ class AuthenticationException extends \RuntimeException
{ {
$this->extraInformation = $extraInformation; $this->extraInformation = $extraInformation;
} }
public function serialize()
{
return serialize(array(
$this->extraInformation,
$this->code,
$this->message,
$this->file,
$this->line,
));
}
public function unserialize($str)
{
list(
$this->extraInformation,
$this->code,
$this->message,
$this->file,
$this->line
) = unserialize($str);
}
} }

11
src/Symfony/Component/Security/Http/Authentication/AuthenticationFailureHandlerInterface.php
View File

@ -2,6 +2,7 @@
namespace Symfony\Component\Security\Http\Authentication; namespace Symfony\Component\Security\Http\Authentication;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\EventDispatcher\EventInterface; use Symfony\Component\EventDispatcher\EventInterface;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
@ -21,12 +22,12 @@ interface AuthenticationFailureHandlerInterface
* called by authentication listeners inheriting from * called by authentication listeners inheriting from
* AbstractAuthenticationListener. * AbstractAuthenticationListener.
* *
* @param EventInterface $event the "core.security" event, this event always * @param EventInterface $event the "core.security" event, this event always
* has the kernel as target * has the kernel as target
* @param Request $request * @param Request $request
* @param \Exception $exception * @param AuthenticationException $exception
* *
* @return Response the response to return * @return Response the response to return
*/ */
function onAuthenticationFailure(EventInterface $event, Request $request, \Exception $exception); function onAuthenticationFailure(EventInterface $event, Request $request, AuthenticationException $exception);
} }

7
src/Symfony/Component/Security/Http/Firewall/AbstractAuthenticationListener.php
View File

@ -12,7 +12,6 @@
namespace Symfony\Component\Security\Http\Firewall; namespace Symfony\Component\Security\Http\Firewall;
use Symfony\Component\EventDispatcher\Event; use Symfony\Component\EventDispatcher\Event;
use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface; use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface; use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface; use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
@ -173,7 +172,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
return $this->options['check_path'] === $request->getPathInfo(); return $this->options['check_path'] === $request->getPathInfo();
} }
protected function onFailure($event, Request $request, \Exception $failed) protected function onFailure($event, Request $request, AuthenticationException $failed)
{ {
if (null !== $this->logger) { if (null !== $this->logger) {
$this->logger->debug(sprintf('Authentication request failed: %s', $failed->getMessage())); $this->logger->debug(sprintf('Authentication request failed: %s', $failed->getMessage()));
@ -195,7 +194,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
} }
$subRequest = Request::create($this->options['failure_path']); $subRequest = Request::create($this->options['failure_path']);
$subRequest->attributes->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed->getMessage()); $subRequest->attributes->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed);
return $event->getSubject()->handle($subRequest, HttpKernelInterface::SUB_REQUEST); return $event->getSubject()->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
} else { } else {
@ -203,7 +202,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
$this->logger->debug(sprintf('Redirecting to %s', $this->options['failure_path'])); $this->logger->debug(sprintf('Redirecting to %s', $this->options['failure_path']));
} }
$request->getSession()->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed->getMessage()); $request->getSession()->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed);
$response = new Response(); $response = new Response();
$response->setRedirect(0 !== strpos($this->options['failure_path'], 'http') ? $request->getUriForPath($this->options['failure_path']) : $this->options['failure_path'], 302); $response->setRedirect(0 !== strpos($this->options['failure_path'], 'http') ? $request->getUriForPath($this->options['failure_path']) : $this->options['failure_path'], 302);