Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit bd53382

Browse filesBrowse files
fabpotfabpot
committed
merged branch gunnarlium/fix-security-forward-http-code (PR #6957)
This PR was merged into the master branch. Discussion ---------- [Security] Return 401 when using use_forward for form authentication | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | yes | Deprecations? | no | Tests pass? | yes | Fixed tickets | - | License | MIT | Doc PR | - - [x] document the BC breaks in UPDATE and CHANGELOG Currently, unauthenticated requests gets handled as exceptions and forwarded to the FormAuthenticationEntryPoint::start. When using use_forward = true, this method does not modify the status code, which means that final response to the end user will use a 500 status code. This is not right, as there is not a server problem, the problem is that the user is not authenticated. The status code should be 401. This PR checks if the sub request to the form view is successful, and sets an X-Status-Code header if it is.This might break applications that rely on the 500 error code being returned for unauthenticated requests. Commits ------- b5597e8 [Security] Return 401 when using use_forward for form authentication
2 parents da96476 + b5597e8 commit bd53382
Copy full SHA for bd53382

File tree

3 files changed

+12
-3
lines changed
Filter options

3 files changed

+12
-3
lines changed

‎src/Symfony/Component/Security/CHANGELOG.md

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/CHANGELOG.md
+1Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ CHANGELOG
44
2.3.0
55
-----
66

7+
* [BC BREAK] return 401 instead of 500 when using use_forward during for form authentication
78
* added a `require_previous_session` option to `AbstractAuthenticationListener`
89

910
2.2.0

‎src/Symfony/Component/Security/Http/EntryPoint/FormAuthenticationEntryPoint.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/EntryPoint/FormAuthenticationEntryPoint.php
+6-1Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,7 +53,12 @@ public function start(Request $request, AuthenticationException $authException =
5353
if ($this->useForward) {
5454
$subRequest = $this->httpUtils->createRequest($request, $this->loginPath);
5555

56-
return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
56+
$response = $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
57+
if (200 === $response->getStatusCode()) {
58+
$response->headers->set('X-Status-Code', 401);
59+
}
60+
61+
return $response;
5762
}
5863

5964
return $this->httpUtils->createRedirectResponse($request, $this->loginPath);

‎src/Symfony/Component/Security/Tests/Http/EntryPoint/FormAuthenticationEntryPointTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Tests/Http/EntryPoint/FormAuthenticationEntryPointTest.php
+5-2Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -50,7 +50,7 @@ public function testStartWithUseForward()
5050
{
5151
$request = $this->getMock('Symfony\Component\HttpFoundation\Request', array(), array(), '', false, false);
5252
$subRequest = $this->getMock('Symfony\Component\HttpFoundation\Request', array(), array(), '', false, false);
53-
$response = $this->getMock('Symfony\Component\HttpFoundation\Response');
53+
$response = new \Symfony\Component\HttpFoundation\Response('', 200);
5454

5555
$httpUtils = $this->getMock('Symfony\Component\Security\Http\HttpUtils');
5656
$httpUtils
@@ -70,6 +70,9 @@ public function testStartWithUseForward()
7070

7171
$entryPoint = new FormAuthenticationEntryPoint($httpKernel, $httpUtils, '/the/login/path', true);
7272

73-
$this->assertEquals($response, $entryPoint->start($request));
73+
$entryPointResponse = $entryPoint->start($request);
74+
75+
$this->assertEquals($response, $entryPointResponse);
76+
$this->assertEquals(401, $entryPointResponse->headers->get('X-Status-Code'));
7477
}
7578
}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.