8000 security #18733 limited the maximum length of a submitted username (f… · symfony/symfony@ff93b17 · GitHub
[go: up one dir, main page]
Skip to content

Commit ff93b17

Browse files
fabpotfabpot
committed
security #18733 limited the maximum length of a submitted username (fabpot)
This PR was merged into the 2.3 branch. Discussion ---------- limited the maximum length of a submitted username | Q | A | ------------- | --- | Branch? | 2.3 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | n/a | License | MIT | Doc PR | n/a Commits ------- f8dc28a limited the maximum length of a submitted username
2 parents daa2afa + f8dc28a commit ff93b17

File tree

3 files changed

+84
-0
lines changed

3 files changed

+84
-0
lines changed

src/Symfony/Component/Security/Core/SecurityContextInterface.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@ interface SecurityContextInterface
2323
const ACCESS_DENIED_ERROR = '_security.403_error';
2424
const AUTHENTICATION_ERROR = '_security.last_error';
2525
const LAST_USERNAME = '_security.last_username';
26+
const MAX_USERNAME_LENGTH = 4096;
2627

2728
/**
2829
* Returns the current security token.

src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
use Symfony\Component\Security\Http\HttpUtils;
2121
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
2222
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
23+
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
2324
use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
2425
use Symfony\Component\Security\Core\SecurityContextInterface;
2526
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
@@ -83,6 +84,10 @@ protected function attemptAuthentication(Request $request)
8384
$password = $request->get($this->options['password_parameter'], null, true);
8485
}
8586

87+
if (strlen($username) > SecurityContextInterface::MAX_USERNAME_LENGTH) {
88+
throw new BadCredentialsException('Invalid username.');
89+
}
90+
8691
$request->getSession()->set(SecurityContextInterface::LAST_USERNAME, $username);
8792

8893
return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey));

src/Symfony/Component/Security/Tests/Http/Firewall/UsernamePasswordFormAuthenticationListenerTest.php

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <fabien@symfony.com>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Component\Security\Tests\Http\Firewall;
13+
14+
use Symfony\Component\HttpFoundation\Request;
15+
use Symfony\Component\HttpFoundation\Response;
16+
use Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener;
17+
use Symfony\Component\Security\Core\SecurityContextInterface;
18+
19+
class UsernamePasswordFormAuthenticationListenerTest extends \PHPUnit_Framework_TestCase
20+
{
21+
/**
22+
* @dataProvider getUsernameForLength
23+
*/
24+
public function testHandleWhenUsernameLength($username, $ok)
25+
{
26+
$request = Request::create('/login_check', 'POST', array('_username' => $username));
27+
$request->setSession($this->getMock('Symfony\Component\HttpFoundation\Session\SessionInterface'));
28+
29+
$httpUtils = $this->getMock('Symfony\Component\Security\Http\HttpUtils');
30+
$httpUtils
31+
->expects($this->any())
32+
->method('checkRequestPath')
33+
->will($this->returnValue(true))
34+
;
35+
36+
$failureHandler = $this->getMock('Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface');
37+
$failureHandler
38+
->expects($ok ? $this->never() : $this->once())
39+
->method('onAuthenticationFailure')
40+
->will($this->returnValue(new Response()))
41+
;
42+
43+
$authenticationManager = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager')->disableOriginalConstructor()->getMock();
44+
$authenticationManager
45+
->expects($ok ? $this->once() : $this->never())
46+
->method('authenticate')
47+
->will($this->returnValue(new Response()))
48+
;
49+
50+
$listener = new UsernamePasswordFormAuthenticationListener(
51+
$this->getMock('Symfony\Component\Security\Core\SecurityContextInterface'),
52+
$authenticationManager,
53+
$this->getMock('Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface'),
54+
$httpUtils,
55+
'TheProviderKey',
56+
$this->getMock('Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface'),
57+
$failureHandler,
58+
array('require_previous_session' => false)
59+
);
60+
61+
$event = $this->getMock('Symfony\Component\HttpKernel\Event\GetResponseEvent', array(), array(), '', false);
62+
$event
63+
->expects($this->any())
64+
->method('getRequest')
65+
->will($this->returnValue($request))
66+
;
67+
68+
$listener->handle($event);
69+
}
70+
71+
public function getUsernameForLength()
72+
{
73+
return array(
74+
array(str_repeat('x', SecurityContextInterface::MAX_USERNAME_LENGTH + 1), false),
75+
array(str_repeat('x', SecurityContextInterface::MAX_USERNAME_LENGTH - 1), true),
76+
);
77+
}
78+
}

0 commit comments

Comments
 (0)
0