Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Don't allow empty username or empty password #46118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 20, 2022
Merged

[Security] Don't allow empty username or empty password #46118

merged 1 commit into from
Jul 20, 2022

Conversation

bikalbasnet
Copy link

@bikalbasnet bikalbasnet commented Apr 20, 2022
edited
Loading

Q A
Branch? 6.2
Bug fix? no
New feature? yes
Deprecations? yes
Tickets #46100
License MIT
Doc PR -

Reopened from #46109 into 6.1 branch as this is not a bug rather a security feature

@carsonbot carsonbot added this to the 6.1 milestone Apr 20, 2022
@chalasr
Copy link
Member

chalasr commented Apr 20, 2022

This is a BC break, which Symfony doesn't allow in minor versions. We need to deprecate passing empty strings at first, then convert the deprecation to an error in the next major version.

@fabpot fabpot modified the milestones: 6.1, 6.2 Apr 22, 2022
@bikalbasnet bikalbasnet force-pushed the 6.1-not-allow-empty-usr-pwd branch from 1a80ed6 to 97c716e Compare April 24, 2022 06:37
@bikalbasnet
Copy link
Author

@chalasr Do I need to create a new UPGRADE-6.2.md myself right or have to wait until 6.2 branch is created?

@wouterj
Copy link
Member

wouterj commented Apr 25, 2022

We'll create the 6.2 after the stabilization period, you can then rebase this PR on the new 6.1 branch. I guess you can create a new UPGRADE-6.2.md file.

@fabpot fabpot force-pushed the 6.1-not-allow-empty-usr-pwd branch from 71e61b2 to db5afbd Compare July 20, 2022 16:39
@fabpot
Copy link
Member

fabpot commented Jul 20, 2022

Thank you @bikalbasnet.

@fabpot fabpot mentioned this pull request Jul 20, 2022
Closed
@fabpot fabpot merged commit 5d9b6d2 into symfony:6.2 Jul 20, 2022
@fabpot fabpot mentioned this pull request Oct 24, 2022
Merged
@adrianrudnik
Copy link
Contributor

adrianrudnik commented Mar 5, 2023
edited
Loading

Just came across this in some application tests. Right now I get the 401 HTTP status code and the user deprecation. What is the upcoming target? From the other closed commits I assume 400 HTTP status code instead?

The naming Passing empty username or password parameter when using JsonLoginAuthenticator is not supported anymore is somewhat strange, as JSON clients still could send empty usernames and passwords or is there a change in this mechanic planned?

@chalasr
Copy link
Member

chalasr commented Mar 5, 2023

@adrianrudnik I'm not sure to truly understand what is the question here.
Anyway if you think there's something wrong or inconsistent, please consider opening a separate issue with enough details to reproduce.

@bikalbasnet bikalbasnet deleted the 6.1-not-allow-empty-usr-pwd branch April 28, 2023 04:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chalasr chalasr chalasr requested changes

@fabpot fabpot fabpot approved these changes

@wouterj wouterj Awaiting requested review from wouterj wouterj is a code owner

Assignees
No one assigned
Labels
Feature Security Status: Reviewed
Projects
None yet
Milestone
6.2
Development

Successfully merging this pull request may close these issues.
6 participants
@bikalbasnet @chalasr @wouterj @fabpot @adrianrudnik @carsonbot