diff options
| author | Fabien Potencier <fabien.potencier@gmail.com> | 2016-05-09 14:31:02 -0500 |
|---|---|---|
| committer | Fabien Potencier <fabien.potencier@gmail.com> | 2016-05-09 14:31:02 -0500 |
| commit | 3eb62fffbb324147f6dd68da4c3427fabfbdbe80 (patch) | |
| tree | afd60f80724e089b8cd648f0c17927d38161e57c /Http | |
| parent | 34e648cf6cc3c9deb2aa0adf57cb17bddf7da57c (diff) | |
| parent | 231aafdaf4c9abbc812139bd6f909008fec91cd7 (diff) | |
| download | symfony-security-3eb62fffbb324147f6dd68da4c3427fabfbdbe80.zip symfony-security-3eb62fffbb324147f6dd68da4c3427fabfbdbe80.tar.gz symfony-security-3eb62fffbb324147f6dd68da4c3427fabfbdbe80.tar.bz2 | |
Merge branch '2.8' into 3.0
* 2.8:
limited the maximum length of a submitted username
Diffstat (limited to 'Http')
| -rw-r--r-- | Http/Firewall/SimpleFormAuthenticationListener.php | 5 | ||||
| -rw-r--r-- | Http/Firewall/UsernamePasswordFormAuthenticationListener.php | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/Http/Firewall/SimpleFormAuthenticationListener.php b/Http/Firewall/SimpleFormAuthenticationListener.php index 76c66bc..7c940c3 100644 --- a/Http/Firewall/SimpleFormAuthenticationListener.php +++ b/Http/Firewall/SimpleFormAuthenticationListener.php @@ -21,6 +21,7 @@ use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerI use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; use Symfony\Component\Security\Http\Authentication\SimpleFormAuthenticatorInterface; use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; +use Symfony\Component\Security\Core\Exception\BadCredentialsException; use Symfony\Component\Security\Core\Security; use Symfony\Component\Security\Http\HttpUtils; use Symfony\Component\Security\Http\ParameterBagUtils; @@ -107,6 +108,10 @@ class SimpleFormAuthenticationListener extends AbstractAuthenticationListener $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']); } + if (strlen($username) > Security::MAX_USERNAME_LENGTH) { + throw new BadCredentialsException('Invalid username.'); + } + $request->getSession()->set(Security::LAST_USERNAME, $username); $token = $this->simpleAuthenticator->createToken($request, $username, $password, $this->providerKey); diff --git a/Http/Firewall/UsernamePasswordFormAuthenticationListener.php b/Http/Firewall/UsernamePasswordFormAuthenticationListener.php index c8195ce..426457d 100644 --- a/Http/Firewall/UsernamePasswordFormAuthenticationListener.php +++ b/Http/Firewall/UsernamePasswordFormAuthenticationListener.php @@ -23,6 +23,7 @@ use Symfony\Component\Security\Http\HttpUtils; use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; +use Symfony\Component\Security\Core\Exception\BadCredentialsException; use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException; use Symfony\Component\Security\Core\Security; use Symfony\Component\EventDispatcher\EventDispatcherInterface; @@ -83,6 +84,10 @@ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationL $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']); } + if (strlen($username) > Security::MAX_USERNAME_LENGTH) { + throw new BadCredentialsException('Invalid username.'); + } + $request->getSession()->set(Security::LAST_USERNAME, $username); return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey)); |