Skip to content

Navigation Menu

Sign in

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[Security] always check the token on non-lazy firewalls #34358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 15, 2019
Merged

[Security] always check the token on non-lazy firewalls #34358

merged 2 commits into from
Nov 15, 2019

Conversation

lyrixx
Copy link
Member

@lyrixx lyrixx commented Nov 13, 2019

Q A
Branch? 4.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #34357
License MIT
Doc PR

@stof
Copy link
Member

stof commented Nov 13, 2019

isn't this breaking the support for lazy firewalls by always using the token, even when you try to disable checks for some URL patterns ?

@lyrixx
Copy link
Member Author

lyrixx commented Nov 13, 2019

I really don't know. I open the PR to get some feedbacks...

@nicolas-grekas nicolas-grekas added this to the 4.4 milestone Nov 13, 2019
@nicolas-grekas
Copy link
Member

Yes, it breaks lazyness. Can you please add a test case that reproduces the situation you have?

@lyrixx
Copy link
Member Author

lyrixx commented Nov 13, 2019

  1. I reverted my commit to show the bug
  2. I added a new test case to ... show the bug :)

@lyrixx lyrixx force-pushed the security-anon branch 2 times, most recently from c86a43e to 70b49c7 Compare November 13, 2019 12:49
@stof
Copy link
Member

stof commented Nov 13, 2019

@nicolas-grekas maybe lazyness should be enabled only for firewalls enabling anonymous access (as such firewalls are expected to be able to deal with cases where the user might not be forced to be actually authenticated already). The lazyness indeed breaks the previous assumption that a firewall will force to have an authenticated token on all requests even when no check is performed. And when authenticated tokens can only be created for an authenticated user and not for anonymous users, the previous implementation was implicitly adding a check on all requests.

@stof stof mentioned this pull request Nov 13, 2019
Closed
@nicolas-grekas nicolas-grekas force-pushed the security-anon branch 2 times, most recently from 62bf59a to 069cdb0 Compare November 14, 2019 22:39
@nicolas-grekas
Copy link
Member

@stof implemented, can you please have a look?

@lyrixx I push-forced on your fork - can you also please have a look at the reason why the test is failing now?

@nicolas-grekas
Copy link
Member

can you also please have a look at the reason why the test is failing now?

I figured out on my own :)

PR ready.

@nicolas-grekas nicolas-grekas changed the title [Security] throw AuthenticationCredentialsNotFoundException when checking for access [Security] always check the token on non-lazy firewalls Nov 14, 2019
lyrixx
lyrixx commented Nov 15, 2019
View reviewed changes
Copy link
Member Author

@lyrixx lyrixx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Simple, like it

@nicolas-grekas
Copy link
Member

Thank you @lyrixx.

nicolas-grekas added a commit that referenced this pull request Nov 15, 2019
@nicolas-grekas
bug #34358 [Security] always check the token on non-lazy firewalls (n…
b8f8ac9 
…icolas-grekas, lyrixx)

This PR was merged into the 4.4 branch.

Discussion
----------

 [Security] always check the token on non-lazy firewalls

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #34357
| License       | MIT
| Doc PR        |

Commits
-------

2c2632a [SecurityBundle] add tests with empty authenticator
797450d [Security] always check the token on non-lazy firewalls
@nicolas-grekas nicolas-grekas merged commit 2c2632a into symfony:4.4 Nov 15, 2019
@lyrixx lyrixx deleted the security-anon branch November 15, 2019 11:07
@lyrixx
Copy link
Member Author

lyrixx commented Nov 15, 2019

@nicolas-grekas Thanks you for finish it

This was referenced Nov 17, 2019
Merged
Merged
@nicolas-grekas nicolas-grekas mentioned this pull request Nov 20, 2019
Merged
@nicolas-grekas nicolas-grekas mentioned this pull request Jun 30, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derrabus derrabus derrabus left review comments

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.

[Security] Potential BC break with guard::start() returning nothing
6 participants
@lyrixx @stof @nicolas-grekas @derrabus @chalasr @carsonbot
Morty Proxy This is a proxified and sanitized view of the page, visit original site.