Merge branch '3.4' into 4.4

nicolas-grekas · nicolas-grekas · commit cbdb66a1d115 · 2021-05-19T14:06:31.000+02:00
* 3.4:
  [Security\Core] Fix user enumeration via response body on invalid credentials
  Update VERSION for 3.4.48
  Update CHANGELOG for 3.4.48
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php
@@ -81,7 +81,7 @@ public function authenticate(TokenInterface $token)
             $this->userChecker->checkPreAuth($user);
             $this->checkAuthentication($user, $token);
             $this->userChecker->checkPostAuth($user);
-        } catch (AccountStatusException $e) {
+        } catch (AccountStatusException | BadCredentialsException $e) {
             if ($this->hideUserNotFoundExceptions) {
                 throw new BadCredentialsException('Bad credentials.', 0, $e);
             }
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
@@ -69,6 +69,24 @@ public function testAuthenticateWhenUsernameIsNotFoundAndHideIsTrue()
         $provider->authenticate($this->getSupportedToken());
     }
 
+    public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
+    {
+        $provider = $this->getProvider();
+        $provider->expects($this->once())
+            ->method('retrieveUser')
+            ->willReturn($this->createMock(UserInterface::class))
+        ;
+        $provider->expects($this->once())
+            ->method('checkAuthentication')
+            ->willThrowException(new BadCredentialsException())
+        ;
+
+        $this->expectException(BadCredentialsException::class);
+        $this->expectExceptionMessage('Bad credentials.');
+
+        $provider->authenticate($this->getSupportedToken());
+    }
+
     public function testAuthenticateWhenProviderDoesNotReturnAnUserInterface()
     {
         $this->expectException(AuthenticationServiceException::class);

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ public function authenticate(TokenInterface $token)`
`81`	`81`	`$this->userChecker->checkPreAuth($user);`
`82`	`82`	`$this->checkAuthentication($user, $token);`
`83`	`83`	`$this->userChecker->checkPostAuth($user);`
`84`		`- } catch (AccountStatusException $e) {`
	`84`	`+ } catch (AccountStatusException \| BadCredentialsException $e) {`
`85`	`85`	`if ($this->hideUserNotFoundExceptions) {`
`86`	`86`	`throw new BadCredentialsException('Bad credentials.', 0, $e);`
`87`	`87`	`}`