8000 security #cve-2021-21424 [Security\Core] Fix user enumeration via res… · symfony/symfony@1ad13fe · GitHub
[go: up one dir, main page]
Skip to content

Commit 1ad13fe

Browse files
nicolas-grekasnicolas-grekas
committed
security #cve-2021-21424 [Security\Core] Fix user enumeration via response body on invalid credentials (chalasr)
This PR was merged into the 3.4 branch.
2 parents d0d17db + e850700 commit 1ad13fe

File tree

2 files changed

+21
-2
lines changed

2 files changed

+21
-2
lines changed

src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,8 +84,8 @@ public function authenticate(TokenInterface $token)
8484
$this->userChecker->checkPreAuth($user);
8585
$this->checkAuthentication($user, $token);
8686
$this->userChecker->checkPostAuth($user);
87-
} catch (AccountStatusException $e) {
88-
if ($this->hideUserNotFoundExceptions) {
87+
} catch (AuthenticationException $e) {
88+
if ($this->hideUserNotFoundExceptions && ($e instanceof AccountStatusException || $e instanceof BadCredentialsException)) {
8989
throw new BadCredentialsException('Bad credentials.', 0, $e);
9090
}
9191

src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
1919
use Symfony\Component\Security\Core\Role\Role;
2020
use Symfony\Component\Security\Core\Role\SwitchUserRole;
21+
use Symfony\Component\Security\Core\User\UserInterface;
2122

2223
class UserAuthenticationProviderTest extends TestCase
2324
{
@@ -62,6 +63,24 @@ public function testAuthenticateWhenUsernameIsNotFoundAndHideIsTrue()
6263
$provider->authenticate($this->getSupportedToken());
6364
}
6465

66+
public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
67+
{
68+
$provider = $this->getProvider();
69+
$provider->expects($this->once())
70+
->method('retrieveUser')
71+
->willReturn($this->createMock(UserInterface::class))
72+
;
73+
$provider->expects($this->once())
74+
->method('checkAuthentication')
75+
->willThrowException(new BadCredentialsException())
76+
;
77+
78+
$this->expectException(BadCredentialsException::class);
79+
$this->expectExceptionMessage('Bad credentials.');
80+
81+
$provider->authenticate($this->getSupportedToken());
82+
}
83+
6584
/**
6685
* @group legacy
6786
*/

0 commit comments

Comments
 (0)
0