Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit dc5660e

Browse filesBrowse files
dmaichernicolas-grekas
dmaicher
authored and
nicolas-grekas
committed
[Security] FormLoginAuthenticator: fail for non-string password
1 parent f874dd2 commit dc5660e
Copy full SHA for dc5660e

File tree

Expand file treeCollapse file tree

2 files changed

+43
-0
lines changed
Filter options
Expand file treeCollapse file tree

2 files changed

+43
-0
lines changed

‎src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
+4Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,10 @@ private function getCredentials(Request $request): array
157157

158158
$request->getSession()->set(Security::LAST_USERNAME, $credentials['username']);
159159

160+
if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) || !method_exists($credentials['password'], '__toString'))) {
161+
throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));
162+
}
163+
160164
return $credentials;
161165
}
162166

‎src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php
+39Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@
2323
use Symfony\Component\Security\Http\Authenticator\FormLoginAuthenticator;
2424
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
2525
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
26+
use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
2627
use Symfony\Component\Security\Http\HttpUtils;
2728
use Symfony\Component\Security\Http\Tests\Authenticator\Fixtures\PasswordUpgraderProvider;
2829

@@ -126,6 +127,44 @@ public function testHandleNonStringUsernameWithToString($postOnly)
126127
$this->authenticator->authenticate($request);
127128
}
128129

130+
/**
131+
* @dataProvider postOnlyDataProvider
132+
*/
133+
public function testHandleNonStringPasswordWithArray(bool $postOnly)
134+
{
135+
$this->expectException(BadRequestHttpException::class);
136+
$this->expectExceptionMessage('The key "_password" must be a string, "array" given.');
137+
138+
$request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => []]);
139+
$request->setSession($this->createSession());
140+
141+
$this->setUpAuthenticator(['post_only' => $postOnly]);
142+
$this->authenticator->authenticate($request);
143+
}
144+
145+
/**
146+
* @dataProvider postOnlyDataProvider
147+
*/
148+
public function testHandleNonStringPasswordWithToString(bool $postOnly)
149+
{
150+
$passwordObject = new class() {
151+
public function __toString()
152+
{
153+
return 's$cr$t';
154+
}
155+
};
156+
157+
$request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => $passwordObject]);
158+
$request->setSession($this->createSession());
159+
160+
$this->setUpAuthenticator(['post_only' => $postOnly]);
161+
$passport = $this->authenticator->authenticate($request);
162+
163+
/** @var PasswordCredentials $credentialsBadge */
164+
$credentialsBadge = $passport->getBadge(PasswordCredentials::class);
165+
$this->assertSame('s$cr$t', $credentialsBadge->getPassword());
166+
}
167+
129168
public static function postOnlyDataProvider()
130169
{
131170
yield [true];

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.