[Security] Enforce maximum username length in UserBadge #46584
Conversation
| @@ -27,6 +28,8 @@ | |||
| */ | |||
| class UserBadge implements BadgeInterface | |||
| { | |||
| public const MAX_USERNAME_LENGTH = 4096; | |||
There was a problem hiding this comment.
Perhaps out of context but why reintroducing username here? Why not user identifier?
There was a problem hiding this comment.
We need a more advanced BC layer for that. I'm going to work on getting rid of that "username" leftovers in a dedicated PR if we don't do it here (there's also Security::LAST_USERNAME)
|
Thank you @wouterj. |
…halasr) This PR was merged into the 6.2 branch. Discussion ---------- [Security] Centralize max username length enforcement | Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Cleans up the max username length enforcement across the board. Authenticators do not need to check it on their own since #46584. Commits ------- 9fd1e82 [Security] Centralize max username length enforcement
|
EDIT : Opened a dedicated issue here Hello there, Simple thought about the way this has been resolved :
For most usages, it will probably be enough, but it implies there will be some case where it won't. Later, you're supposed to retrieve your identifier in a user provider or in the closure of user badge to construct your "user". Passing your token in the UserBadge construct will instantly trigger the hard coded security test provided by this commit : There aren't any explicit restriction on oauth2 token size, which can lead here to a much bigger size of 4096 chars if the token comes with a bunch of permission in it. And I'm talking about oauth2 here as an example but it could be any other specific reason. The fact is that, having a security test is good here, but the arbitrary 4096-character-constant-restriction which relies on "it should be more than enough for normal usages" is a bit hard, because it only relies on personal apreciation. There should be a way, for people who know the risks, to easily override or bypass that restrictrion or to change the value of MAX_USERNAME_LENGTH, but the fact that it is a class constant accessed with the "self::" keyword makes it difficult due to the fact a constant is, by definition, made to stay untouched. A long term solution could be to add a configuration parameter to properly override MAX_USERNAME_LENGTH if set. Z. |
In 2016, a CVE release was made to harden all build-in authenticators for session storage flooding attacks: https://symfony.com/blog/cve-2016-4423-large-username-storage-in-session With the new security system, we can extend the hardening to all authenticators by enforcing the maximum user length in the
UserBadge.I believe we can do this as a "bugfix" in 6.2 directly, based on this reasoning from the blog post: "To avoid any BC break, the limit is set to 4096 characters, which should be more than enough for normal usages." For full stability safety, I think it's better to not do this on 5.4.