From ca80946379ff16694401e6f4065c70c3dc9a581b Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Fri, 29 Apr 2016 11:36:11 +0200 Subject: [PATCH 01/10] bumped Symfony version to 2.3.41 --- src/Symfony/Component/HttpKernel/Kernel.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php index 27906badeb9aa..71cc0a60de511 100644 --- a/src/Symfony/Component/HttpKernel/Kernel.php +++ b/src/Symfony/Component/HttpKernel/Kernel.php @@ -58,12 +58,12 @@ abstract class Kernel implements KernelInterface, TerminableInterface protected $startTime; protected $loadClassCache; - const VERSION = '2.3.40'; - const VERSION_ID = 20340; + const VERSION = '2.3.41-DEV'; + const VERSION_ID = 20341; const MAJOR_VERSION = 2; const MINOR_VERSION = 3; - const RELEASE_VERSION = 40; - const EXTRA_VERSION = ''; + const RELEASE_VERSION = 41; + const EXTRA_VERSION = 'DEV'; /** * Constructor. From af4ca4f48b1aca08991f30ef7b4cdb58002c369e Mon Sep 17 00:00:00 2001 From: Daniel Espendiller Date: Mon, 2 May 2016 19:21:33 +0200 Subject: [PATCH 02/10] add @Event annotation for AuthenticationEvents --- src/Symfony/Component/Security/Core/AuthenticationEvents.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/Symfony/Component/Security/Core/AuthenticationEvents.php b/src/Symfony/Component/Security/Core/AuthenticationEvents.php index 90b714267466c..13bce30768908 100644 --- a/src/Symfony/Component/Security/Core/AuthenticationEvents.php +++ b/src/Symfony/Component/Security/Core/AuthenticationEvents.php @@ -20,6 +20,8 @@ final class AuthenticationEvents * The event listener method receives a * Symfony\Component\Security\Core\Event\AuthenticationEvent instance. * + * @Event + * * @var string */ const AUTHENTICATION_SUCCESS = 'security.authentication.success'; @@ -32,6 +34,8 @@ final class AuthenticationEvents * Symfony\Component\Security\Core\Event\AuthenticationFailureEvent * instance. * + * @Event + * * @var string */ const AUTHENTICATION_FAILURE = 'security.authentication.failure'; From 13a47c3c6ddd9e5287ece292b9cc57d77dd22c5c Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Wed, 4 May 2016 21:53:17 +0200 Subject: [PATCH 03/10] top-level anonymous services must be public --- .../Component/DependencyInjection/Loader/XmlFileLoader.php | 6 +++--- .../DependencyInjection/Tests/Loader/XmlFileLoaderTest.php | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php b/src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php index 0314ba6809586..f324aa969cc33 100644 --- a/src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php +++ b/src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php @@ -237,6 +237,9 @@ private function processAnonymousServices(SimpleXMLElement $xml, $file) $definitions[(string) $node['id']] = array($node->service, $file, false); $node->service['id'] = (string) $node['id']; + + // anonymous services are always private + $node->service['public'] = false; } } @@ -254,9 +257,6 @@ private function processAnonymousServices(SimpleXMLElement $xml, $file) // resolve definitions krsort($definitions); foreach ($definitions as $id => $def) { - // anonymous services are always private - $def[0]['public'] = false; - $this->parseDefinition($id, $def[0], $def[1]); $oNode = dom_import_simplexml($def[0]); diff --git a/src/Symfony/Component/DependencyInjection/Tests/Loader/XmlFileLoaderTest.php b/src/Symfony/Component/DependencyInjection/Tests/Loader/XmlFileLoaderTest.php index 38ee13d5ff73e..a8f8f35133ae5 100644 --- a/src/Symfony/Component/DependencyInjection/Tests/Loader/XmlFileLoaderTest.php +++ b/src/Symfony/Component/DependencyInjection/Tests/Loader/XmlFileLoaderTest.php @@ -158,7 +158,7 @@ public function testLoadAnonymousServices() $service = $container->getDefinition($id); } $this->assertEquals('BizClass', $service->getClass(), '->load() uses the same configuration as for the anonymous ones'); - $this->assertFalse($service->isPublic()); + $this->assertTrue($service->isPublic()); // anonymous services are shared when using decoration definitions $container->compile(); From beecc6c1bed7c5967d80a995e2185da9f5cff7d8 Mon Sep 17 00:00:00 2001 From: Francis Besset Date: Fri, 6 May 2016 22:13:08 +0200 Subject: [PATCH 04/10] Fixed readme of OptionsResolver --- src/Symfony/Component/OptionsResolver/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Symfony/Component/OptionsResolver/README.md b/src/Symfony/Component/OptionsResolver/README.md index 5768f68e7ff7d..245e69b548d6d 100644 --- a/src/Symfony/Component/OptionsResolver/README.md +++ b/src/Symfony/Component/OptionsResolver/README.md @@ -1,7 +1,7 @@ OptionsResolver Component ========================= -The OptionsResolver component is `array_replace on steroids. It allows you to +The OptionsResolver component is `array_replace` on steroids. It allows you to create an options system with required options, defaults, validation (type, value), normalization and more. From 954126b04f8650f31d50156af6723afa18e88bda Mon Sep 17 00:00:00 2001 From: Christian Flothmann Date: Mon, 9 May 2016 17:02:09 +0200 Subject: [PATCH 05/10] call get() after the container was compiled --- .../ProxyManager/Tests/LazyProxy/ContainerBuilderTest.php | 2 ++ .../Tests/DependencyInjection/WebProfilerExtensionTest.php | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Bridge/ProxyManager/Tests/LazyProxy/ContainerBuilderTest.php b/src/Symfony/Bridge/ProxyManager/Tests/LazyProxy/ContainerBuilderTest.php index ae13d543b0e1e..3f3c577b846df 100644 --- a/src/Symfony/Bridge/ProxyManager/Tests/LazyProxy/ContainerBuilderTest.php +++ b/src/Symfony/Bridge/ProxyManager/Tests/LazyProxy/ContainerBuilderTest.php @@ -33,6 +33,8 @@ public function testCreateProxyServiceWithRuntimeInstantiator() $builder->register('foo1', 'ProxyManagerBridgeFooClass')->setFile(__DIR__.'/Fixtures/includes/foo.php'); $builder->getDefinition('foo1')->setLazy(true); + $builder->compile(); + /* @var $foo1 \ProxyManager\Proxy\LazyLoadingInterface|\ProxyManager\Proxy\ValueHolderInterface */ $foo1 = $builder->get('foo1'); diff --git a/src/Symfony/Bundle/WebProfilerBundle/Tests/DependencyInjection/WebProfilerExtensionTest.php b/src/Symfony/Bundle/WebProfilerBundle/Tests/DependencyInjection/WebProfilerExtensionTest.php index 765d721842b8c..7ddb4dbd3539e 100644 --- a/src/Symfony/Bundle/WebProfilerBundle/Tests/DependencyInjection/WebProfilerExtensionTest.php +++ b/src/Symfony/Bundle/WebProfilerBundle/Tests/DependencyInjection/WebProfilerExtensionTest.php @@ -99,9 +99,9 @@ public function testToolbarConfig($enabled) $extension = new WebProfilerExtension(); $extension->load(array(array('toolbar' => $enabled)), $this->container); - $this->assertSame($enabled, $this->container->get('web_profiler.debug_toolbar')->isEnabled()); - $this->assertSaneContainer($this->getDumpedContainer()); + + $this->assertSame($enabled, $this->container->get('web_profiler.debug_toolbar')->isEnabled()); } public function getDebugModes() From b1c60b4f0d9861586cb870a723f8fa94a01c84ec Mon Sep 17 00:00:00 2001 From: Erik van Wingerden Date: Mon, 9 May 2016 09:52:08 +0200 Subject: [PATCH 06/10] [2.3][Component/Security] Fixed phpdoc in AnonymousToken constructor for user param --- .../Security/Core/Authentication/Token/AnonymousToken.php | 2 +- .../Core/Authentication/Token/PreAuthenticatedToken.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php index 571816ca9ecb2..5f3241f20d62f 100644 --- a/src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php +++ b/src/Symfony/Component/Security/Core/Authentication/Token/AnonymousToken.php @@ -26,7 +26,7 @@ class AnonymousToken extends AbstractToken * Constructor. * * @param string $key The key shared with the authentication provider - * @param string $user The user + * @param string|object $user The user can be a UserInterface instance, or an object implementing a __toString method or the username as a regular string. * @param RoleInterface[] $roles An array of roles */ public function __construct($key, $user, array $roles = array()) diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php index 1798203690455..5a3fc95327c08 100644 --- a/src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php +++ b/src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php @@ -26,7 +26,7 @@ class PreAuthenticatedToken extends AbstractToken /** * Constructor. * - * @param string|object $user The user + * @param string|object $user The user can be a UserInterface instance, or an object implementing a __toString method or the username as a regular string. * @param mixed $credentials The user credentials * @param string $providerKey The provider key * @param RoleInterface[]|string[] $roles An array of roles From f8dc28ae536a0e69434f31841e20366fbff16b63 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Sun, 1 May 2016 06:13:23 +0200 Subject: [PATCH 07/10] limited the maximum length of a submitted username --- .../Core/SecurityContextInterface.php | 1 + ...namePasswordFormAuthenticationListener.php | 5 ++ ...PasswordFormAuthenticationListenerTest.php | 78 +++++++++++++++++++ 3 files changed, 84 insertions(+) create mode 100644 src/Symfony/Component/Security/Tests/Http/Firewall/UsernamePasswordFormAuthenticationListenerTest.php diff --git a/src/Symfony/Component/Security/Core/SecurityContextInterface.php b/src/Symfony/Component/Security/Core/SecurityContextInterface.php index 50c30bb51237f..0253a6ae23d3f 100644 --- a/src/Symfony/Component/Security/Core/SecurityContextInterface.php +++ b/src/Symfony/Component/Security/Core/SecurityContextInterface.php @@ -23,6 +23,7 @@ interface SecurityContextInterface const ACCESS_DENIED_ERROR = '_security.403_error'; const AUTHENTICATION_ERROR = '_security.last_error'; const LAST_USERNAME = '_security.last_username'; + const MAX_USERNAME_LENGTH = 4096; /** * Returns the current security token. diff --git a/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php index 21478175351d0..26aeb67780cd3 100644 --- a/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php @@ -20,6 +20,7 @@ use Symfony\Component\Security\Http\HttpUtils; use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; +use Symfony\Component\Security\Core\Exception\BadCredentialsException; use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException; use Symfony\Component\Security\Core\SecurityContextInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; @@ -83,6 +84,10 @@ protected function attemptAuthentication(Request $request) $password = $request->get($this->options['password_parameter'], null, true); } + if (strlen($username) > SecurityContextInterface::MAX_USERNAME_LENGTH) { + throw new BadCredentialsException('Invalid username.'); + } + $request->getSession()->set(SecurityContextInterface::LAST_USERNAME, $username); return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey)); diff --git a/src/Symfony/Component/Security/Tests/Http/Firewall/UsernamePasswordFormAuthenticationListenerTest.php b/src/Symfony/Component/Security/Tests/Http/Firewall/UsernamePasswordFormAuthenticationListenerTest.php new file mode 100644 index 0000000000000..b7c6ab9db5752 --- /dev/null +++ b/src/Symfony/Component/Security/Tests/Http/Firewall/UsernamePasswordFormAuthenticationListenerTest.php @@ -0,0 +1,78 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Symfony\Component\Security\Tests\Http\Firewall; + +use Symfony\Component\HttpFoundation\Request; +use Symfony\Component\HttpFoundation\Response; +use Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener; +use Symfony\Component\Security\Core\SecurityContextInterface; + +class UsernamePasswordFormAuthenticationListenerTest extends \PHPUnit_Framework_TestCase +{ + /** + * @dataProvider getUsernameForLength + */ + public function testHandleWhenUsernameLength($username, $ok) + { + $request = Request::create('/login_check', 'POST', array('_username' => $username)); + $request->setSession($this->getMock('Symfony\Component\HttpFoundation\Session\SessionInterface')); + + $httpUtils = $this->getMock('Symfony\Component\Security\Http\HttpUtils'); + $httpUtils + ->expects($this->any()) + ->method('checkRequestPath') + ->will($this->returnValue(true)) + ; + + $failureHandler = $this->getMock('Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface'); + $failureHandler + ->expects($ok ? $this->never() : $this->once()) + ->method('onAuthenticationFailure') + ->will($this->returnValue(new Response())) + ; + + $authenticationManager = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager')->disableOriginalConstructor()->getMock(); + $authenticationManager + ->expects($ok ? $this->once() : $this->never()) + ->method('authenticate') + ->will($this->returnValue(new Response())) + ; + + $listener = new UsernamePasswordFormAuthenticationListener( + $this->getMock('Symfony\Component\Security\Core\SecurityContextInterface'), + $authenticationManager, + $this->getMock('Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface'), + $httpUtils, + 'TheProviderKey', + $this->getMock('Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface'), + $failureHandler, + array('require_previous_session' => false) + ); + + $event = $this->getMock('Symfony\Component\HttpKernel\Event\GetResponseEvent', array(), array(), '', false); + $event + ->expects($this->any()) + ->method('getRequest') + ->will($this->returnValue($request)) + ; + + $listener->handle($event); + } + + public function getUsernameForLength() + { + return array( + array(str_repeat('x', SecurityContextInterface::MAX_USERNAME_LENGTH + 1), false), + array(str_repeat('x', SecurityContextInterface::MAX_USERNAME_LENGTH - 1), true), + ); + } +} From a5c27e37cdd7a763311df6a24b0d77b4545a4b6d Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Mon, 9 May 2016 14:45:08 -0500 Subject: [PATCH 08/10] updated CHANGELOG for 2.3.41 --- CHANGELOG-2.3.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG-2.3.md b/CHANGELOG-2.3.md index d0ca6221aca02..1d8ff9479ecca 100644 --- a/CHANGELOG-2.3.md +++ b/CHANGELOG-2.3.md @@ -7,6 +7,11 @@ in 2.3 minor versions. To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v2.3.0...v2.3.1 +* 2.3.41 (2016-05-09) + + * security #18733 limited the maximum length of a submitted username (fabpot) + * bug #18709 [DependencyInjection] top-level anonymous services must be public (xabbuh) + * 2.3.40 (2016-04-29) * bug #18246 [DependencyInjection] fix ambiguous services schema (backbone87) From f80f5882183c61fd56a5269bbf7c07b6bd8b658b Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Mon, 9 May 2016 14:45:18 -0500 Subject: [PATCH 09/10] update CONTRIBUTORS for 2.3.41 --- CONTRIBUTORS.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 456aeba37aa74..d8e08d87119b7 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -40,9 +40,9 @@ Symfony is the result of the work of many people who made the code better - Alexandre Salomé (alexandresalome) - William Durand (couac) - ornicar + - Jules Pietri (heah) - stealth35 ‏ (stealth35) - Alexander Mols (asm89) - - Jules Pietri (heah) - Francis Besset (francisbesset) - Bulat Shakirzyanov (avalanche123) - Saša Stamenković (umpirsky) @@ -129,6 +129,7 @@ Symfony is the result of the work of many people who made the code better - Arnaud Kleinpeter (nanocom) - Joel Wurtz (brouznouf) - Philipp Wahala (hifi) + - Titouan Galopin (tgalopin) - Richard Shank (iampersistent) - Thomas Rabaix (rande) - Vincent AUBERT (vincent) @@ -141,7 +142,6 @@ Symfony is the result of the work of many people who made the code better - Michał Pipa (michal.pipa) - Amal Raghav (kertz) - Jonathan Ingram (jonathaningram) - - Titouan Galopin (tgalopin) - Artur Kotyrba - Rouven Weßling (realityking) - Warnar Boekkooi (boekkooi) @@ -240,6 +240,7 @@ Symfony is the result of the work of many people who made the code better - Michael Holm (hollo) - Marc Weistroff (futurecat) - Hidde Wieringa (hiddewie) + - Daniel Espendiller - Chris Smith (cs278) - Florian Klein (docteurklein) - Manuel Kiessling (manuelkiessling) @@ -436,6 +437,7 @@ Symfony is the result of the work of many people who made the code better - Benjamin Leveque (benji07) - Nate (frickenate) - jhonnyL + - Jhonny Lidfors (jhonne) - sasezaki - Dawid Pakuła (zulusx) - Florian Rey (nervo) @@ -611,7 +613,6 @@ Symfony is the result of the work of many people who made the code better - Adrien Lucas (adrienlucas) - James Michael DuPont - Tom Klingenberg - - Jhonny Lidfors (jhonne) - Christopher Hall (mythmakr) - Paul Kamer (pkamer) - Rafał Wrzeszcz (rafalwrzeszcz) @@ -904,7 +905,6 @@ Symfony is the result of the work of many people who made the code better - Albin Kerouaton - Sébastien HOUZÉ - Jingyu Wang - - Daniel Espendiller - steveYeah - Samy Dindane (dinduks) - Keri Henare (kerihenare) @@ -945,6 +945,7 @@ Symfony is the result of the work of many people who made the code better - Tadcka - Beth Binkovitz - Romain Geissler + - Oliver Hoff - Tomaz Ahlin - Benjamin Cremer (bcremer) - Marcus Stöhr (dafish) @@ -1302,6 +1303,7 @@ Symfony is the result of the work of many people who made the code better - znerol - Christian Eikermann - Antonio Angelino + - Shawn Iwinski - Vladimir Sazhin - lol768 - jamogon From efd48596a98261fdb7f27d693b80ab80445580b9 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Mon, 9 May 2016 14:45:27 -0500 Subject: [PATCH 10/10] updated VERSION for 2.3.41 --- src/Symfony/Component/HttpKernel/Kernel.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php index 71cc0a60de511..8c1854a18e41f 100644 --- a/src/Symfony/Component/HttpKernel/Kernel.php +++ b/src/Symfony/Component/HttpKernel/Kernel.php @@ -58,12 +58,12 @@ abstract class Kernel implements KernelInterface, TerminableInterface protected $startTime; protected $loadClassCache; - const VERSION = '2.3.41-DEV'; + const VERSION = '2.3.41'; const VERSION_ID = 20341; const MAJOR_VERSION = 2; const MINOR_VERSION = 3; const RELEASE_VERSION = 41; - const EXTRA_VERSION = 'DEV'; + const EXTRA_VERSION = ''; /** * Constructor.