Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Providing csrf-token as array causes TypeError #42614

New issue
Copy link
New issue
Copy link
Closed
Closed
Providing csrf-token as array causes TypeError#42614
Copy link
Labels
BugSecurityStatus: Reviewed
@codegain

Description

@codegain
codegain
opened on Aug 18, 2021
Issue body actions

Symfony version(s) affected: 4.4.29

Description

If the csrf_protection is set to true and the csrf-token in the request is provided as array (from a malicious user), a TypeError is thrown.

How to reproduce

  1. Set csrf_protection to true in packages/framework.yaml
  2. Create a login form with a _csrf_token field
  3. Use some external program to send the csrf-token as an array like _csrf_token[foo]=1
  4. A TypeError is thrown

Possible Solution

The csrfToken is read in the UsernamePasswordFormAuthenticationListener::attemptAuthentication method via the ParameterBagUtils::getRequestParameterValue. I don't see any option set that the attribute read must be a string (like with the $request->get*() methods). Maybe a good place would be to check is_string (or null) in the listener class.

Additional context

PHP version: 7.4

Stacktrace:

TypeError: Argument 2 passed to Symfony\Component\Security\Csrf\CsrfToken::__construct() must be of the type string or null, array given, called in /vendor/symfony/security-http/Firewall/UsernamePasswordFormAuthenticationListener.php on line 75
#14 /vendor/symfony/security-csrf/CsrfToken.php(24): Symfony\Component\Security\Csrf\CsrfToken::__construct
#13 /vendor/symfony/security-http/Firewall/UsernamePasswordFormAuthenticationListener.php(75): Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener::attemptAuthentication
#12 /vendor/symfony/security-http/Firewall/AbstractAuthenticationListener.php(141): Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener::authenticate
#11 /vendor/symfony/security-http/Firewall/AbstractListener.php(27): Symfony\Component\Security\Http\Firewall\AbstractListener::__invoke
#10 /vendor/symfony/security-http/Firewall.php(140): Symfony\Component\Security\Http\Firewall::handleRequest
#9 /vendor/symfony/security-http/Firewall.php(130): Symfony\Component\Security\Http\Firewall::callListeners
#8 /vendor/symfony/security-http/Firewall.php(98): Symfony\Component\Security\Http\Firewall::onKernelRequest
#7 /vendor/symfony/event-dispatcher/EventDispatcher.php(304): Symfony\Component\EventDispatcher\EventDispatcher::Symfony\Component\EventDispatcher\{closure}
#6 /vendor/symfony/event-dispatcher/EventDispatcher.php(264): Symfony\Component\EventDispatcher\EventDispatcher::doDispatch
#5 /vendor/symfony/event-dispatcher/EventDispatcher.php(239): Symfony\Component\EventDispatcher\EventDispatcher::callListeners
#4 /vendor/symfony/event-dispatcher/EventDispatcher.php(73): Symfony\Component\EventDispatcher\EventDispatcher::dispatch
#3 /vendor/symfony/http-kernel/HttpKernel.php(134): Symfony\Component\HttpKernel\HttpKernel::handleRaw
#2 /vendor/symfony/http-kernel/HttpKernel.php(80): Symfony\Component\HttpKernel\HttpKernel::handle
#1 /vendor/symfony/http-kernel/Kernel.php(201): Symfony\Component\HttpKernel\Kernel::handle
#0 /public/index.php(25): null

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSecurityStatus: Reviewed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.