Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 6b34c00

Browse files
nicolas-grekasnicolas-grekas
committed
bug #51445 [Security] FormLoginAuthenticator: fail for non-string password (dmaicher)
This PR was squashed before being merged into the 5.4 branch. Discussion ---------- [Security] FormLoginAuthenticator: fail for non-string password | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #51441 | License | MIT | Doc PR | - <!-- Replace this notice by a short README for your feature/bugfix. This will help reviewers and should be a good start for the documentation. Additionally (see https://symfony.com/releases): - Always add tests and ensure they pass. - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too). - Features and deprecations must be submitted against the latest branch. - For new features, provide some code snippets to help understand usage. - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry - Never break backward compatibility (see https://symfony.com/bc). --> Fixes #51441 by handling it similar to the username and throwing a `BadRequestHttpException`. Commits ------- dc5660e [Security] FormLoginAuthenticator: fail for non-string password
2 parents f874dd2 + dc5660e commit 6b34c00

File tree

2 files changed

+43
-0
lines changed

2 files changed

+43
-0
lines changed

src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -157,6 +157,10 @@ private function getCredentials(Request $request): array
157157

158158
$request->getSession()->set(Security::LAST_USERNAME, $credentials['username']);
159159

160+
if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) || !method_exists($credentials['password'], '__toString'))) {
161+
throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));
162+
}
163+
160164
return $credentials;
161165
}
162166

src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@
2323
use Symfony\Component\Security\Http\Authenticator\FormLoginAuthenticator;
2424
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
2525
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
26+
use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
2627
use Symfony\Component\Security\Http\HttpUtils;
2728
use Symfony\Component\Security\Http\Tests\Authenticator\Fixtures\PasswordUpgraderProvider;
2829

@@ -126,6 +127,44 @@ public function testHandleNonStringUsernameWithToString($postOnly)
126127
$this->authenticator->authenticate($request);
127128
}
128129

130+
/**
131+
* @dataProvider postOnlyDataProvider
132+
*/
133+
public function testHandleNonStringPasswordWithArray(bool $postOnly)
134+
{
135+
$this->expectException(BadRequestHttpException::class);
136+
$this->expectExceptionMessage('The key "_password" must be a string, "array" given.');
137+
138+
$request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => []]);
139+
$request->setSession($this->createSession());
140+
141+
$this->setUpAuthenticator(['post_only' => $postOnly]);
142+
$this->authenticator->authenticate($request);
143+
}
144+
145+
/**
146+
* @dataProvider postOnlyDataProvider
147+
*/
148+
public function testHandleNonStringPasswordWithToString(bool $postOnly)
149+
{
150+
$passwordObject = new class() {
151+
public function __toString()
152+
{
153+
return 's$cr$t';
154+
}
155+
};
156+
157+
$request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => $passwordObject]);
158+
$request->setSession($this->createSession());
159+
160+
$this->setUpAuthenticator(['post_only' => $postOnly]);
161+
$passport = $this->authenticator->authenticate($request);
162+
163+
/** @var PasswordCredentials $credentialsBadge */
164+
$credentialsBadge = $passport->getBadge(PasswordCredentials::class);
165+
$this->assertSame('s$cr$t', $credentialsBadge->getPassword());
166+
}
167+
129168
public static function postOnlyDataProvider()
130169
{
131170
yield [true];

0 commit comments

Comments
 (0)