Merge branch '2.8' into 3.0

* 2.8: limited the maximum length of a submitted username
author: Fabien Potencier <fabien.potencier@gmail.com> 2016-05-09 14:31:02 -0500
committer: Fabien Potencier <fabien.potencier@gmail.com> 2016-05-09 14:31:02 -0500
commit: 3eb62fffbb324147f6dd68da4c3427fabfbdbe80 (patch)
tree: afd60f80724e089b8cd648f0c17927d38161e57c
parent: 34e648cf6cc3c9deb2aa0adf57cb17bddf7da57c (diff)
parent: 231aafdaf4c9abbc812139bd6f909008fec91cd7 (diff)
download: symfony-security-3eb62fffbb324147f6dd68da4c3427fabfbdbe80.zip
symfony-security-3eb62fffbb324147f6dd68da4c3427fabfbdbe80.tar.gz
symfony-security-3eb62fffbb324147f6dd68da4c3427fabfbdbe80.tar.bz2
4 files changed, 89 insertions, 0 deletions
diff --git a/Core/Security.php b/Core/Security.php
index 14d32f8..84cc77d 100644
--- a/Core/Security.php
+++ b/Core/Security.php
@@ -21,4 +21,5 @@ final class Security
     const ACCESS_DENIED_ERROR = '_security.403_error';
     const AUTHENTICATION_ERROR = '_security.last_error';
     const LAST_USERNAME = '_security.last_username';
+    const MAX_USERNAME_LENGTH = 4096;
 }
diff --git a/Http/Firewall/SimpleFormAuthenticationListener.php b/Http/Firewall/SimpleFormAuthenticationListener.php
index 76c66bc..7c940c3 100644
--- a/Http/Firewall/SimpleFormAuthenticationListener.php
+++ b/Http/Firewall/SimpleFormAuthenticationListener.php
@@ -21,6 +21,7 @@ use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerI
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Symfony\Component\Security\Http\Authentication\SimpleFormAuthenticatorInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\ParameterBagUtils;
@@ -107,6 +108,10 @@ class SimpleFormAuthenticationListener extends AbstractAuthenticationListener
             $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
         }
 
+        if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
+            throw new BadCredentialsException('Invalid username.');
+        }
+
         $request->getSession()->set(Security::LAST_USERNAME, $username);
 
         $token = $this->simpleAuthenticator->createToken($request, $username, $password, $this->providerKey);
diff --git a/Http/Firewall/UsernamePasswordFormAuthenticationListener.php b/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
index c8195ce..426457d 100644
--- a/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
+++ b/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
@@ -23,6 +23,7 @@ use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
@@ -83,6 +84,10 @@ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationL
             $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
         }
 
+        if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
+            throw new BadCredentialsException('Invalid username.');
+        }
+
         $request->getSession()->set(Security::LAST_USERNAME, $username);
 
         return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey));
diff --git a/Tests/Http/Firewall/UsernamePasswordFormAuthenticationListenerTest.php b/Tests/Http/Firewall/UsernamePasswordFormAuthenticationListenerTest.php
new file mode 100644
index 0000000..eca14d3
--- /dev/null
+++ b/Tests/Http/Firewall/UsernamePasswordFormAuthenticationListenerTest.php
@@ -0,0 +1,78 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Tests\Http\Firewall;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener;
+use Symfony\Component\Security\Core\Security;
+
+class UsernamePasswordFormAuthenticationListenerTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @dataProvider getUsernameForLength
+     */
+    public function testHandleWhenUsernameLength($username, $ok)
+    {
+        $request = Request::create('/login_check', 'POST', array('_username' => $username));
+        $request->setSession($this->getMock('Symfony\Component\HttpFoundation\Session\SessionInterface'));
+
+        $httpUtils = $this->getMock('Symfony\Component\Security\Http\HttpUtils');
+        $httpUtils
+            ->expects($this->any())
+            ->method('checkRequestPath')
+            ->will($this->returnValue(true))
+        ;
+
+        $failureHandler = $this->getMock('Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface');
+        $failureHandler
+            ->expects($ok ? $this->never() : $this->once())
+            ->method('onAuthenticationFailure')
+            ->will($this->returnValue(new Response()))
+        ;
+
+        $authenticationManager = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager')->disableOriginalConstructor()->getMock();
+        $authenticationManager
+            ->expects($ok ? $this->once() : $this->never())
+            ->method('authenticate')
+            ->will($this->returnValue(new Response()))
+        ;
+
+        $listener = new UsernamePasswordFormAuthenticationListener(
+            $this->getMock('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface'),
+            $authenticationManager,
+            $this->getMock('Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface'),
+            $httpUtils,
+            'TheProviderKey',
+            $this->getMock('Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface'),
+            $failureHandler,
+            array('require_previous_session' => false)
+        );
+
+        $event = $this->getMock('Symfony\Component\HttpKernel\Event\GetResponseEvent', array(), array(), '', false);
+        $event
+            ->expects($this->any())
+            ->method('getRequest')
+            ->will($this->returnValue($request))
+        ;
+
+        $listener->handle($event);
+    }
+
+    public function getUsernameForLength()
+    {
+        return array(
+            array(str_repeat('x', Security::MAX_USERNAME_LENGTH + 1), false),
+            array(str_repeat('x', Security::MAX_USERNAME_LENGTH - 1), true),
+        );
+    }
+}
author	Fabien Potencier <fabien.potencier@gmail.com>	2016-05-09 14:31:02 -0500
committer	Fabien Potencier <fabien.potencier@gmail.com>	2016-05-09 14:31:02 -0500
commit	3eb62fffbb324147f6dd68da4c3427fabfbdbe80 (patch)
tree	afd60f80724e089b8cd648f0c17927d38161e57c
parent	34e648cf6cc3c9deb2aa0adf57cb17bddf7da57c (diff)
parent	231aafdaf4c9abbc812139bd6f909008fec91cd7 (diff)
download	symfony-security-3eb62fffbb324147f6dd68da4c3427fabfbdbe80.zip symfony-security-3eb62fffbb324147f6dd68da4c3427fabfbdbe80.tar.gz symfony-security-3eb62fffbb324147f6dd68da4c3427fabfbdbe80.tar.bz2