Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 6b34c00

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
bug #51445 [Security] FormLoginAuthenticator: fail for non-string password (dmaicher)
This PR was squashed before being merged into the 5.4 branch. Discussion ---------- [Security] FormLoginAuthenticator: fail for non-string password | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #51441 | License | MIT | Doc PR | - <!-- Replace this notice by a short README for your feature/bugfix. This will help reviewers and should be a good start for the documentation. Additionally (see https://symfony.com/releases): - Always add tests and ensure they pass. - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too). - Features and deprecations must be submitted against the latest branch. - For new features, provide some code snippets to help understand usage. - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry - Never break backward compatibility (see https://symfony.com/bc). --> Fixes #51441 by handling it similar to the username and throwing a `BadRequestHttpException`. Commits ------- dc5660e [Security] FormLoginAuthenticator: fail for non-string password
2 parents f874dd2 + dc5660e commit 6b34c00
Copy full SHA for 6b34c00

File tree

2 files changed

+43
-0
lines changed
Filter options

2 files changed

+43
-0
lines changed

‎src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
+4Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,10 @@ private function getCredentials(Request $request): array
157157

158158
$request->getSession()->set(Security::LAST_USERNAME, $credentials['username']);
159159

160+
if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) || !method_exists($credentials['password'], '__toString'))) {
161+
throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));
162+
}
163+
160164
return $credentials;
161165
}
162166

‎src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php
+39Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@
2323
use Symfony\Component\Security\Http\Authenticator\FormLoginAuthenticator;
2424
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
2525
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
26+
use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
2627
use Symfony\Component\Security\Http\HttpUtils;
2728
use Symfony\Component\Security\Http\Tests\Authenticator\Fixtures\PasswordUpgraderProvider;
2829

@@ -126,6 +127,44 @@ public function testHandleNonStringUsernameWithToString($postOnly)
126127
$this->authenticator->authenticate($request);
127128
}
128129

130+
/**
131+
* @dataProvider postOnlyDataProvider
132+
*/
133+
public function testHandleNonStringPasswordWithArray(bool $postOnly)
134+
{
135+
$this->expectException(BadRequestHttpException::class);
136+
$this->expectExceptionMessage('The key "_password" must be a string, "array" given.');
137+
138+
$request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => []]);
139+
$request->setSession($this->createSession());
140+
141+
$this->setUpAuthenticator(['post_only' => $postOnly]);
142+
$this->authenticator->authenticate($request);
143+
}
144+
145+
/**
146+
* @dataProvider postOnlyDataProvider
147+
*/
148+
public function testHandleNonStringPasswordWithToString(bool $postOnly)
149+
{
150+
$passwordObject = new class() {
151+
public function __toString()
152+
{
153+
return 's$cr$t';
154+
}
155+
};
156+
157+
$request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => $passwordObject]);
158+
$request->setSession($this->createSession());
159+
160+
$this->setUpAuthenticator(['post_only' => $postOnly]);
161+
$passport = $this->authenticator->authenticate($request);
162+
163+
/** @var PasswordCredentials $credentialsBadge */
164+
$credentialsBadge = $passport->getBadge(PasswordCredentials::class);
165+
$this->assertSame('s$cr$t', $credentialsBadge->getPassword());
166+
}
167+
129168
public static function postOnlyDataProvider()
130169
{
131170
yield [true];

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.