Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Appearance settings

[Security][LoginLink] Invalid parameters throw 500 #60347

Copy link
Copy link
Closed
@davidszkiba

Description

@davidszkiba
Issue body actions

Symfony version(s) affected

7.2.4

Description

When login_check is requested and the request parameters have the wrong type (userIdentifier, hash, expires) it throws 500 exceptions because the acceptSignatureHash method expects the parameters to be of certain types ($userIdentifier a string, $expires an int and $hash a string).

How to reproduce

Implement LoginLink and then request login via link:
https://example.com/login/link_check?expires=%E2%80%AA1747385844%E2%80%AC&hash=somehash&user=%E2%80%AA123456789%E2%80%AC

Here the expires parameter is flanked by zero-width spaces. This leads to a 500 error because expires is expected to be an int but here it is a string. I'm not exactly sure why the zero-width spaces are added (maybe some email clients do that?), but in any case, I think this should not lead to a 500 error.

Possible Solution

Be more strict in the LoginLinkHandler. In addition to checking if the required parameters exist (which is already done after this PR #48292), the type should also be checked.

Additional Context

Symfony\Component\Security\Core\Signature\SignatureHasher::acceptSignatureHash(): Argument #2 ($expires) must be of type int, string given, called in /srv/portal/vendor/symfony/security-http/LoginLink/LoginLinkHandler.php on line 98

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      Morty Proxy This is a proxified and sanitized view of the page, visit original site.