[Cookbook][Security] don't output message from AuthenticationException #4761

xabbuh · 2015-01-04T15:35:37Z

Q	A
Doc fix?	yes
New docs?	no
Applies to	all
Fixed tickets

Displaying the message of an AuthenticationException might expose
sensitive data to the user.

xabbuh · 2015-01-04T15:36:29Z

@stof I assumed you meant the getMessageData() method here. getMessageParameters() does not exist.

xabbuh · 2015-01-11T11:04:41Z

ping @weaverryan @wouterj I think this is something we should merge as soon as possible to avoid giving insecure advices.

weaverryan · 2015-01-12T11:32:28Z

Thanks @xabbuh. I'm actually not familiar with this - I knew this approach could leak info, but had the approach you suggested always worked, or is it new? Where did the idea come from? Forgive my lack of knowledge here :)

xabbuh · 2015-01-12T11:49:37Z

@stof made the suggestion in #4723 (comment). These methods are present in Symfony 2.3 too: http://api.symfony.com/2.3/Symfony/Component/Security/Core/Exception/AuthenticationException.html

stof · 2015-01-12T14:58:08Z

@weaverryan this is a feature added in Symfony 2.2

stof · 2015-01-12T14:59:00Z

@xabbuh indeed, I made a mistake when giving the method name (I haven't checked the code or the api doc when commenting)

xabbuh · 2015-01-12T15:00:10Z

@stof No problem, was not hard to guess the right method name. ;)

wouterj · 2015-01-16T15:50:32Z

cookbook/security/form_login_setup.rst

    // ADD THIS use STATEMENT above your class
    use Symfony\Component\Security\Core\SecurityContextInterface;

    public function loginAction(Request $request)
    {
        $session = $request->getSession();
+        $error = null;


I think having this in the else is more clear

Good suggestion, this might not be the way it would usually be done in the Symfony core, but it's actually more readable. Changed it.

Displaying the message of an `AuthenticationException` might expose sensitive data to the user.

weaverryan · 2015-01-16T21:10:38Z

Thanks guys! I can't believe I had missed this. I used it recently in Silex in a KnpU tutorial, without even realizing how it fits into Symfony. I'm very happy to have this improved!

…cationException (xabbuh) This PR was merged into the 2.3 branch. Discussion ---------- [Cookbook][Security] don't output message from AuthenticationException | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | Displaying the message of an `AuthenticationException` might expose sensitive data to the user. Commits ------- 44277c7 don't output message from AuthenticationException

xabbuh mentioned this pull request Jan 4, 2015

[Cookbook][Security] document the new AuthenticationUtils #4723

Merged

xabbuh added the Status: Reviewed label Jan 4, 2015

wouterj reviewed Jan 16, 2015
View reviewed changes

don't output message from AuthenticationException

44277c7

Displaying the message of an `AuthenticationException` might expose sensitive data to the user.

xabbuh force-pushed the replace-get-message branch from b4d986b to 44277c7 Compare January 16, 2015 16:14

weaverryan merged commit 44277c7 into symfony:2.3 Jan 16, 2015

xabbuh deleted the replace-get-message branch January 16, 2015 21:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[Cookbook][Security] don't output message from AuthenticationException #4761

[Cookbook][Security] don't output message from AuthenticationException #4761

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

[Cookbook][Security] don't output message from AuthenticationException #4761

[Cookbook][Security] don't output message from AuthenticationException #4761

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!