Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] FormLoginAuthenticator fails when password is an array #51441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dmaicher opened this issue Aug 21, 2023 · 1 comment
Closed

[Security] FormLoginAuthenticator fails when password is an array #51441

dmaicher opened this issue Aug 21, 2023 · 1 comment
Labels
Bug Security Status: Needs Review

Comments

@dmaicher
Copy link
Contributor

dmaicher commented Aug 21, 2023
edited
Loading

Symfony version(s) affected

5.4+

Description

Symfony\\Component\\Security\\Http\\Authenticator\\Passport\\Credentials\\PasswordCredentials::__construct(): Argument #1 ($password) must be of type string, array given, called in /var/www/app/vendor/symfony/security-http/Authenticator/FormLoginAuthenticator.php on line 85

How to reproduce

Post array data for the password to a form login

curl -X POST --data '_username=foo&_password[]=bar' http://app.dev/login_check

Possible Solution

I saw that for the username there is a check in place:

symfony/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php

Line 126 in 6126caf

if (!\is_string($credentials['username']) && !$credentials['username'] instanceof \Stringable) {

Maybe we can do the same for the password? Happy to contribute this if it makes sense

Additional Context

Actually in dev mode there is another issue with the data collector:

TypeError:
rawurlencode(): Argument #1 ($string) must be of type string, array given

  at /var/www/app/vendor/symfony/http-kernel/DataCollector/RequestDataCollector.php:127
@dmaicher dmaicher added the Bug label Aug 21, 2023
@derrabus
Copy link
Member

Please send a PR.

@dmaicher dmaicher mentioned this issue Aug 21, 2023
Merged
nicolas-grekas added a commit that referenced this issue Aug 23, 2023
@nicolas-grekas
bug #51445 [Security] FormLoginAuthenticator: fail for non-string pas…
6b34c00 
…sword (dmaicher)

This PR was squashed before being merged into the 5.4 branch.

Discussion
----------

[Security] FormLoginAuthenticator: fail for non-string password

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #51441
| License       | MIT
| Doc PR        | -
<!--
Replace this notice by a short README for your feature/bugfix.
This will help reviewers and should be a good start for the documentation.

Additionally (see https://symfony.com/releases):
 - Always add tests and ensure they pass.
 - Bug fixes must be submitted against the lowest maintained branch where they apply
   (lowest branches are regularly merged to upper ones so they get the fixes too).
 - Features and deprecations must be submitted against the latest branch.
 - For new features, provide some code snippets to help understand usage.
 - Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry
 - Never break backward compatibility (see https://symfony.com/bc).
-->

Fixes #51441 by handling it similar to the username and throwing a `BadRequestHttpException`.

Commits
-------

dc5660e [Security] FormLoginAuthenticator: fail for non-string password
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nicolas-grekas @dmaicher @derrabus @carsonbot