bug #41156 [Security] Make Login Rate Limiter case insensitive (jderusse)

wouterj · wouterj · commit 1ba1305ef1ac · 2021-05-10T15:18:33.000+02:00
This PR was merged into the 5.2 branch. Discussion ---------- [Security] Make Login Rate Limiter case insensitive | Q | A | ------------- | --- | Branch? | 5.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - Login RateLimiter is case sensitive, while most login forms aren't case sensitive. This PR makes `DefaultLoginRateLimiter` case insensitive. Commits ------- c333f3d Make LoginRateLimiter case insentive
diff --git a/src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php b/src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php
@@ -41,7 +41,7 @@ protected function getLimiters(Request $request): array
     {
         return [
             $this->globalFactory->create($request->getClientIp()),
-            $this->localFactory->create($request->attributes->get(Security::LAST_USERNAME).'-'.$request->getClientIp()),
+            $this->localFactory->create(strtolower($request->attributes->get(Security::LAST_USERNAME)).'-'.$request->getClientIp()),
         ];
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/LoginThrottlingListenerTest.php
@@ -73,6 +73,21 @@ public function testPreventsLoginWhenOverLocalThreshold()
         $this->listener->checkPassport($this->createCheckPassportEvent($passport));
     }
 
+    public function testPreventsLoginWithMultipleCase()
+    {
+        $request = $this->createRequest();
+        $passports = [$this->createPassport('wouter'), $this->createPassport('Wouter'), $this->createPassport('wOuter')];
+
+        $this->requestStack->push($request);
+
+        for ($i = 0; $i < 3; ++$i) {
+            $this->listener->checkPassport($this->createCheckPassportEvent($passports[$i % 3]));
+        }
+
+        $this->expectException(TooManyLoginAttemptsAuthenticationException::class);
+        $this->listener->checkPassport($this->createCheckPassportEvent($passports[0]));
+    }
+
     public function testPreventsLoginWhenOverGlobalThreshold()
     {
         $request = $this->createRequest();

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ protected function getLimiters(Request $request): array`
`41`	`41`	`{`
`42`	`42`	`return [`
`43`	`43`	`$this->globalFactory->create($request->getClientIp()),`
`44`		`- $this->localFactory->create($request->attributes->get(Security::LAST_USERNAME).'-'.$request->getClientIp()),`
	`44`	`+ $this->localFactory->create(strtolower($request->attributes->get(Security::LAST_USERNAME)).'-'.$request->getClientIp()),`
`45`	`45`	`];`
`46`	`46`	`}`
`47`	`47`	`}`