diff options
| author | Fabien Potencier <fabien.potencier@gmail.com> | 2016-05-09 14:21:30 -0500 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2016-05-09 14:23:35 -0500 |
| commit | 1eebd2bd10b38c068aa05aa123201c53def1bc6d (patch) | |
| tree | b7513ac6a44bb84ea794508fd014c0a3bd64e202 /Http | |
| parent | 083c455db53347f2e8e4894b5f4bf7f06226d086 (diff) | |
| parent | 83b345fdf01cb980fb8bd5e15224573d93b8e369 (diff) | |
| download | symfony-security-1eebd2bd10b38c068aa05aa123201c53def1bc6d.zip symfony-security-1eebd2bd10b38c068aa05aa123201c53def1bc6d.tar.gz symfony-security-1eebd2bd10b38c068aa05aa123201c53def1bc6d.tar.bz2 | |
Merge branch '2.3' into 2.7v2.7.13
* 2.3:
limited the maximum length of a submitted username
Diffstat (limited to 'Http')
| -rw-r--r-- | Http/Firewall/SimpleFormAuthenticationListener.php | 5 | ||||
| -rw-r--r-- | Http/Firewall/UsernamePasswordFormAuthenticationListener.php | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/Http/Firewall/SimpleFormAuthenticationListener.php b/Http/Firewall/SimpleFormAuthenticationListener.php index 4733b6a..8123e0e 100644 --- a/Http/Firewall/SimpleFormAuthenticationListener.php +++ b/Http/Firewall/SimpleFormAuthenticationListener.php @@ -24,6 +24,7 @@ use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerI use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; use Symfony\Component\Security\Core\Authentication\SimpleFormAuthenticatorInterface; use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; +use Symfony\Component\Security\Core\Exception\BadCredentialsException; use Symfony\Component\Security\Core\Security; use Symfony\Component\Security\Http\HttpUtils; use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface; @@ -116,6 +117,10 @@ class SimpleFormAuthenticationListener extends AbstractAuthenticationListener $password = $request->get($this->options['password_parameter'], null, true); } + if (strlen($username) > Security::MAX_USERNAME_LENGTH) { + throw new BadCredentialsException('Invalid username.'); + } + $request->getSession()->set(Security::LAST_USERNAME, $username); $token = $this->simpleAuthenticator->createToken($request, $username, $password, $this->providerKey); diff --git a/Http/Firewall/UsernamePasswordFormAuthenticationListener.php b/Http/Firewall/UsernamePasswordFormAuthenticationListener.php index 07ab85a..ba4329b 100644 --- a/Http/Firewall/UsernamePasswordFormAuthenticationListener.php +++ b/Http/Firewall/UsernamePasswordFormAuthenticationListener.php @@ -24,6 +24,7 @@ use Symfony\Component\Security\Http\HttpUtils; use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; +use Symfony\Component\Security\Core\Exception\BadCredentialsException; use Symfony\Component\Security\Core\Exception\InvalidArgumentException; use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException; use Symfony\Component\Security\Core\Security; @@ -91,6 +92,10 @@ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationL $password = $request->get($this->options['password_parameter'], null, true); } + if (strlen($username) > Security::MAX_USERNAME_LENGTH) { + throw new BadCredentialsException('Invalid username.'); + } + $request->getSession()->set(Security::LAST_USERNAME, $username); return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey)); |