[Security] Tweak UsernamePasswordFormAuthenticationListener #5824
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Do not check twice for the only_post condition - If the expected request is only_post, check only the post variables for the username and password parameters
| } | ||
|
|
||
| return null; | ||
| } |
There was a problem hiding this comment.
Correct me if I am wrong but as said in the description of the PR, the attemptAuthentication method is called only if the requiresAuthentication does not return false. If this premise is correct, the post_only option is true and the request method is not POST, requiresAuthentication will return false and attemptAuthentication will not be called. Therefore, the condition you are asking is useless as it will be false all the time.
There was a problem hiding this comment.
For the record, this was introduced in #4524
fabpot
added a commit
that referenced
this pull request
Oct 28, 2012
This PR was merged into the master branch. Commits ------- 3e58893 [Security] Tweak UsernamePasswordFormAuthenticationListener Discussion ---------- [Security] Tweak UsernamePasswordFormAuthenticationListener Bug fix: no Feature addition: no Backwards compatibility break: no Symfony2 tests pass: [](http://travis-ci.org/acasademont/symfony) Fixes the following tickets: - Todo: - License of the code: MIT Documentation PR: - Improvements: - Do not check twice for the ```only_post``` condition. The condition in the ```attemptAuthentication``` method is useless as this method will never be called if the previous ```requiresAuthentication``` call returns false. - If the expected request is ```only_post```, check only the POST variables for the username and password parameters. Otherwise, query params and attributes are checked before. - Use POST instead of post for correctness
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Bug fix: no
Feature addition: no
Backwards compatibility break: no
Symfony2 tests pass:
Fixes the following tickets: -
Todo: -
License of the code: MIT
Documentation PR: -
Improvements:
only_postcondition. The condition in theattemptAuthenticationmethod is useless as this method will never be called if the previousrequiresAuthenticationcall returns false.only_post, check only the POST variables for the username and password parameters. Otherwise, query params and attributes are checked before.