Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[Security][Http][SwitchUserListener] Ignore all non existent username protection errors #36223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 1, 2020
Merged

[Security][Http][SwitchUserListener] Ignore all non existent username protection errors #36223

merged 1 commit into from
Apr 1, 2020

Conversation

fancyweb
Copy link
Contributor

@fancyweb fancyweb commented Mar 26, 2020
edited
Loading

Q A
Branch? 4.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets #36174
License MIT
Doc PR -

Since we generate the non existent username blindly, it can lead to Doctrine exceptions or any other exception.

We can catch all exceptions here but I guess it reduces the protection since the SQL query was not executed?

Alternative: we can only catch Doctrine DriverException (in addition to the existing AuthenticationException) and only silent the reported error codes?

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Mar 26, 2020
edited
Loading

The driver/authenticator should be updated instead to me - it should throw an AuthenticationException

@nicolas-grekas nicolas-grekas added this to the 4.4 milestone Mar 26, 2020
@fancyweb fancyweb changed the base branch from 4.4 to 3.4 March 26, 2020 17:20
@fancyweb fancyweb force-pushed the security-switch-user-listener-fix branch from ca680e1 to 3843cde Compare March 26, 2020 17:20
@fancyweb fancyweb changed the title [Security][Http][SwitchUserListener] Ignore all non existent username protection errors [DoctrineBridge] Throw AuthenticationException if the user entity cannot be fetched at all Mar 26, 2020
fancyweb
fancyweb commented Mar 26, 2020
View reviewed changes
src/Symfony/Bridge/Doctrine/Security/User/EntityUserProvider.php Outdated Show resolved Hide resolved
@fancyweb fancyweb force-pushed the security-switch-user-listener-fix branch from 3843cde to a874f45 Compare March 26, 2020 18:37
@fancyweb fancyweb mentioned this pull request Mar 26, 2020
Closed
@nicolas-grekas nicolas-grekas modified the milestones: 4.4, 3.4 Mar 27, 2020
nicolas-grekas
nicolas-grekas approved these changes Mar 27, 2020
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(once fabbot's report is fixed) <= false positive

xabbuh
xabbuh previously approved these changes Mar 27, 2020
View reviewed changes
@derrabus
Copy link
Member

This does not feel right. DriverException could mean virtually anything. The database could be down, the table structure could be broken, … Those are hard errors that I would expect to result in an HTTP 500 error.

@fancyweb
Copy link
Contributor Author

fancyweb commented Mar 27, 2020
edited
Loading

Should we narrow to some specific error codes then?

@xabbuh
Copy link
Member

xabbuh commented Mar 27, 2020

That's indeed a good point. What about moving the try catch to that particular statement in SwitchUserListener instead?

@fancyweb
Copy link
Contributor Author

That's indeed a good point. What about moving the try catch to that particular statement in SwitchUserListener instead?

That's what I did in the first place, until Nicolas' comment.

@nicolas-grekas
Copy link
Member

That's what I did in the first place, until Nicolas' comment.

I confirm: the issue is in the Doctrine bridge, not in the SwitchUserListener (which doesn't know anything bout databases.)

@wouterj
Copy link
Member

wouterj commented Mar 27, 2020

Hmm, I would prefer to change this inner catch() to catch all exceptions:

symfony/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php

Lines 156 to 167 in e0de6cc

try {
$user = $this->provider->loadUserByUsername($username);
try {
$this->provider->loadUserByUsername($nonExistentUsername);
} catch (AuthenticationException $e) {
}
} catch (AuthenticationException $e) {
$this->provider->loadUserByUsername($currentUsername);
throw $e;
}

Putting this in the EntityUserProvider is too generic, as @derrabus pointed out. The doctrine error can be anything and we only want to ignore these errors for the fake username.

The first loadUserByUsername call does only catch authentication exceptions. Thus any db error other than invalid username type is already catched by the first call. The second call thus only fail when the username is of the wrong type afaics.

@nicolas-grekas
Copy link
Member

The first loadUserByUsername call does only catch authentication exceptions. Thus any db error other than invalid username type is already catched by the first call. The second call thus only fail when the username is of the wrong type afaics.

OK, good argument! Let's revert to your initial proposal then @fancyweb, and sorry for the confusion :)

@fancyweb fancyweb force-pushed the security-switch-user-listener-fix branch from a874f45 to 42311d5 Compare April 1, 2020 09:17
@fancyweb fancyweb requested review from dunglas and lyrixx as code owners April 1, 2020 09:17
@fancyweb fancyweb requested a review from sroze as a code owner April 1, 2020 09:17
@fancyweb fancyweb changed the base branch from 3.4 to 4.4 April 1, 2020 09:17
@fancyweb
Copy link
Contributor Author

fancyweb commented Apr 1, 2020

I reverted to the initial change (on 4.4). Sorry for the massive ping 😅

@fancyweb fancyweb changed the title [DoctrineBridge] Throw AuthenticationException if the user entity cannot be fetched at all [Security][Http][SwitchUserListener] Ignore all non existent username protection errors Apr 1, 2020
@nicolas-grekas
Copy link
Member

Thank you @fancyweb.

@nicolas-grekas nicolas-grekas merged commit 15edfd3 into symfony:4.4 Apr 1, 2020
@fancyweb fancyweb deleted the security-switch-user-listener-fix branch April 1, 2020 09:29
This was referenced Apr 28, 2020
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@chalasr chalasr chalasr approved these changes

@xabbuh xabbuh xabbuh left review comments

@dunglas dunglas Awaiting requested review from dunglas

@lyrixx lyrixx Awaiting requested review from lyrixx

@sroze sroze Awaiting requested review from sroze

Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
3.4
Development

Successfully merging this pull request may close these issues.
7 participants
@fancyweb @nicolas-grekas @derrabus @xabbuh @wouterj @chalasr @carsonbot
Morty Proxy This is a proxified and sanitized view of the page, visit original site.