8000 Empty line starting with dash under "access_control" causes all rules to be skipped · Issue #40235 · symfony/symfony · GitHub
[go: up one dir, main page]

Skip to content
Empty line starting with dash under "access_control" causes all rules to be skipped #40235
Closed
@rvdbogerd

Description

@rvdbogerd

Symfony version(s) affected: 4.4.16

Description
In my security.yaml, I had added a comment under the access_control entries. My editor automatically prepended the line with a dash, which I didn't notice. Suddenly my acceptance tests started failing and my application started to behave weirdly.

After hours of debugging and figuring out why the AccessListener wasn't throwing an AccessDenied exception anymore when logged out, I finally found the problematic line in the security.yml.

I think this is a big issue, because this tiny typo opened up my entire application to the public. I think there should be some kind of validation on the access_control lines, it should at least have an object with a path on the line, or something like that. See below for an easy reproduction:

How to reproduce

access_control:
    # This makes the logout route available during two-factor authentication, allows the user to cancel
    - { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }

    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/reset-password, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - # some comment about what is happening here
    - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
    - { path: ^/login_check, role: IS_AUTHENTICATED_FULLY }
    - { path: ^/admin, roles: ROLE_ADMIN_MENU }
    - { path: ^/support, roles: ROLE_NO_ACCESS }
    - { path: ^/bewind, role: ROLE_SOMEROLE }
    - { path: ^/(meldingen|profile), roles: ROLE_USER}
    - { path: ^/(?!login|logout|login_check|api), roles: ROLE_SOMEOTHERROLE }

If you now logout, the security listeners will not throw an access denied exception and will not redirect you to /login, therefore all security lines AFTER the comment will not be adhered to and are fully accessible by an anonymous user.

Possible Solution
Validation on the access_control lines, it should at least contain an object with the "path" key (I guess?)

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      0