bug #36974 [Security] Fixed handling of CSRF logout error (wouterj)
This PR was merged into the 3.4 branch. Discussion ---------- [Security] Fixed handling of CSRF logout error | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #36814 | License | MIT | Doc PR | - 8 years ago, a typo was made while refactoring the `ExceptionListener`, loosing this logic (46071f3238
). I think we should fix it. The `LogoutException` is a very generic name for something only used when the CSRF token is invalid. Should we match the exception message to make sure only this CSRF error is transformed into 403? I didn't yet do it because any usage of `LogoutException` would have resulted in 500, which always is worse than 403. Commits -------50348f2eb7
Fixed handling of CSRF logout error
This commit is contained in:
commit
ce61bb0750
@ -102,7 +102,7 @@ class ExceptionListener
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ($exception instanceof LogoutException) {
|
if ($exception instanceof LogoutException) {
|
||||||
$this->handleLogoutException($exception);
|
$this->handleLogoutException($event, $exception);
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -172,10 +172,12 @@ class ExceptionListener
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private function handleLogoutException(LogoutException $exception)
|
private function handleLogoutException(GetResponseForExceptionEvent $event, LogoutException $exception)
|
||||||
{
|
{
|
||||||
|
$event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception));
|
||||||
|
|
||||||
if (null !== $this->logger) {
|
if (null !== $this->logger) {
|
||||||
$this->logger->info('A LogoutException was thrown.', ['exception' => $exception]);
|
$this->logger->info('A LogoutException was thrown; wrapping with AccessDeniedHttpException', ['exception' => $exception]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -21,6 +21,7 @@ use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverIn
|
|||||||
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
||||||
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
||||||
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
||||||
|
use Symfony\Component\Security\Core\Exception\LogoutException;
|
||||||
use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
|
use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
|
||||||
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
|
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
|
||||||
use Symfony\Component\Security\Http\Firewall\ExceptionListener;
|
use Symfony\Component\Security\Http\Firewall\ExceptionListener;
|
||||||
@ -160,6 +161,17 @@ class ExceptionListenerTest extends TestCase
|
|||||||
$this->assertSame(null === $eventException ? $exception : $eventException, $event->getException()->getPrevious());
|
$this->assertSame(null === $eventException ? $exception : $eventException, $event->getException()->getPrevious());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testLogoutException()
|
||||||
|
{
|
||||||
|
$event = $this->createEvent(new LogoutException('Invalid CSRF.'));
|
||||||
|
|
||||||
|
$listener = $this->createExceptionListener();
|
||||||
|
$listener->onKernelException($event);
|
||||||
|
|
||||||
|
$this->assertEquals('Invalid CSRF.', $event->getException()->getMessage());
|
||||||
|
$this->assertEquals(403, $event->getException()->getStatusCode());
|
||||||
|
}
|
||||||
|
|
||||||
public function getAccessDeniedExceptionProvider()
|
public function getAccessDeniedExceptionProvider()
|
||||||
{
|
{
|
||||||
return [
|
return [
|
||||||
|
Reference in New Issue
Block a user