diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixes a bug in the SwitchUserListener

Browse Source
This commit is contained in:
Johannes M. Schmitt 2011-04-19 12:12:29 +02:00 committed by Fabien Potencier
parent 2014ff6856
commit c660fcd2f2
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
UPDATE.md
View File

@ -26,6 +26,10 @@ PR11 to PR12
<app:engine>twig</app:engine> <app:engine>twig</app:engine>
<twig:extension>twig.extension.debug</twig:extension> <twig:extension>twig.extension.debug</twig:extension>
* Fixes a critical security issue which allowed all users to switch to
arbitrary accounts when the SwitchUserListener was activated. Configurations
which do not use the SwitchUserListener are not affected.
PR10 to PR11 PR10 to PR11
------------ ------------

5
src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
View File

@ -11,6 +11,7 @@
namespace Symfony\Component\Security\Http\Firewall; namespace Symfony\Component\Security\Http\Firewall;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\SecurityContextInterface; use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface; use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Core\User\UserCheckerInterface; use Symfony\Component\Security\Core\User\UserCheckerInterface;
@ -112,7 +113,9 @@ class SwitchUserListener implements ListenerInterface
throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername())); throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername()));
} }
$this->accessDecisionManager->decide($token, array($this->role)); if (false === $this->accessDecisionManager->decide($token, array($this->role))) {
throw new AccessDeniedException();
}
$username = $request->get($this->usernameParameter); $username = $request->get($this->usernameParameter);