diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch '5.2' into 5.x

Browse Source 
* 5.2:
  [Security\Core] Fix user enumeration via response body on invalid credentials
  Update VERSION for 3.4.48
  Update CHANGELOG for 3.4.48
This commit is contained in:
Nicolas Grekas 2021-05-19 14:09:49 +02:00
commit e34cd7dd2c
2 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php
View File

@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Exception\AccountStatusException;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
use Symfony\Component\Security\Core\User\UserCheckerInterface;
use Symfony\Component\Security\Core\User\UserInterface;
@ -84,8 +85,8 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
$this->userChecker->checkPreAuth($user);
$this->checkAuthentication($user, $token);
$this->userChecker->checkPostAuth($user);
} catch (AccountStatusException $e) {
if ($this->hideUserNotFoundExceptions) {
} catch (AccountStatusException | BadCredentialsException $e) {
if ($this->hideUserNotFoundExceptions && !$e instanceof CustomUserMessageAccountStatusException) {
throw new BadCredentialsException('Bad credentials.', 0, $e);
}

18
src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
View File

@ -69,6 +69,24 @@ class UserAuthenticationProviderTest extends TestCase
$provider->authenticate($this->getSupportedToken());
}
public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
{
$provider = $this->getProvider();
$provider->expects($this->once())
->method('retrieveUser')
->willReturn($this->createMock(UserInterface::class))
;
$provider->expects($this->once())
->method('checkAuthentication')
->willThrowException(new BadCredentialsException())
;
$this->expectException(BadCredentialsException::class);
$this->expectExceptionMessage('Bad credentials.');
$provider->authenticate($this->getSupportedToken());
}
public function testAuthenticateWhenProviderDoesNotReturnAnUserInterface()
{
$this->expectException(AuthenticationServiceException::class);