Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[Security] Throw LogicException instead of Error when trying to generate logout-… #47932

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 20, 2022
Merged

[Security] Throw LogicException instead of Error when trying to generate logout-… #47932

merged 1 commit into from
Oct 20, 2022

Conversation

addiks
Copy link
Contributor

@addiks addiks commented Oct 20, 2022

…URL without request

Q A
Branch? 4.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets N/A
License MIT
Doc PR N/A

Currently the LogoutUrlGenerator will raise an Error if called without a current request present because it does not check if there is a request present before using it.
The error that is raised is: Call to a member function getBaseUrl() on null on line 110 (line 114 with this patch applied)

In my use-case, this get's called by Symfony\Bundle\SecurityBundle\DataCollector\SecurityDataCollector::collect() using the following code:

$logoutUrl = null;
try {
    if (null !== $this->logoutUrlGenerator && !$token instanceof AnonymousToken) {
        $logoutUrl = $this->logoutUrlGenerator->getLogoutPath();
    }
} catch (\Exception $e) {
    // fail silently when the logout URL cannot be generated
}

The above code inside the SecurityDataCollector tries to "fail silently" if no logout-URL cannot be generated. But this silent-fail fails itself because the thrown "exception" is not an \Exception, but an \Error instead (\Error is not an descendant of \Exception, so it does not get catched here).

In order to resolve this situation, the proposed patch makes the LogoutUrlGenerator explicitly test if a request is actually present and then throw a \LogicException instead of an \Error if that check fails.

@carsonbot carsonbot added this to the 4.4 milestone Oct 20, 2022
@carsonbot
Copy link

Hey!

I see that this is your first PR. That is great! Welcome!

Symfony has a contribution guide which I suggest you to read.

In short:

  • Always add tests
  • Keep backward compatibility (see https://symfony.com/bc).
  • Bug fixes must be submitted against the lowest maintained branch where they apply (see https://symfony.com/releases)
  • Features and deprecations must be submitted against the 6.2 branch.

Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change.

When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor!
If this PR is merged in a lower version branch, it will be merged up to all maintained branches within a few days.

I am going to sit back now and wait for the reviews.

Cheers!

Carsonbot

@fabpot
Copy link
Member

fabpot commented Oct 20, 2022

Thank you @addiks.

@fabpot fabpot merged commit 8639772 into symfony:4.4 Oct 20, 2022
@carsonbot carsonbot changed the title Throw LogicException instead of Error when trying to generate logout-… [Security] Throw LogicException instead of Error when trying to generate logout-… Oct 20, 2022
@derrabus derrabus mentioned this pull request Oct 21, 2022
Closed
@stloyd stloyd mentioned this pull request Oct 26, 2022
Closed
@nicolas-grekas
Copy link
Member

For cross-ref, the empty-stack issue has been fixed in #47857

@javiereguiluz javiereguiluz mentioned this pull request Oct 28, 2022
Closed
This was referenced Oct 28, 2022
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@stof stof stof approved these changes

@wouterj wouterj Awaiting requested review from wouterj wouterj is a code owner

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.
6 participants
@addiks @carsonbot @fabpot @nicolas-grekas @stof @xabbuh
Morty Proxy This is a proxified and sanitized view of the page, visit original site.