[Security] fixes a bug where authentication errors might have leaked confidential information

2 files changed, 9 insertions, 9 deletions

diff --git a/Http/Authentication/AuthenticationFailureHandlerInterface.php b/Http/Authentication/AuthenticationFailureHandlerInterface.php
index 5eeefa1..8defef6 100644
--- a/Http/Authentication/AuthenticationFailureHandlerInterface.php
+++ b/Http/Authentication/AuthenticationFailureHandlerInterface.php
@@ -2,6 +2,7 @@
 
 namespace Symfony\Component\Security\Http\Authentication;
 
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\EventDispatcher\EventInterface;
 use Symfony\Component\HttpFoundation\Request;
 
@@ -21,12 +22,12 @@ interface AuthenticationFailureHandlerInterface
      * called by authentication listeners inheriting from
      * AbstractAuthenticationListener.
      *
-     * @param EventInterface $event the "core.security" event, this event always
-     *                              has the kernel as target
-     * @param Request        $request
-     * @param \Exception     $exception
+     * @param EventInterface          $event the "core.security" event, this event always
+     *                                       has the kernel as target
+     * @param Request                 $request
+     * @param AuthenticationException $exception
      *
      * @return Response the response to return
      */
-    function onAuthenticationFailure(EventInterface $event, Request $request, \Exception $exception);
+    function onAuthenticationFailure(EventInterface $event, Request $request, AuthenticationException $exception);
 }
\ No newline at end of file
diff --git a/Http/Firewall/AbstractAuthenticationListener.php b/Http/Firewall/AbstractAuthenticationListener.php
index a79e63b..46dbf6d 100644
--- a/Http/Firewall/AbstractAuthenticationListener.php
+++ b/Http/Firewall/AbstractAuthenticationListener.php
@@ -12,7 +12,6 @@
 namespace Symfony\Component\Security\Http\Firewall;
 
 use Symfony\Component\EventDispatcher\Event;
-
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
@@ -173,7 +172,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
         return $this->options['check_path'] === $request->getPathInfo();
     }
 
-    protected function onFailure($event, Request $request, \Exception $failed)
+    protected function onFailure($event, Request $request, AuthenticationException $failed)
     {
         if (null !== $this->logger) {
             $this->logger->debug(sprintf('Authentication request failed: %s', $failed->getMessage()));
@@ -195,7 +194,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
             }
 
             $subRequest = Request::create($this->options['failure_path']);
-            $subRequest->attributes->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed->getMessage());
+            $subRequest->attributes->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed);
 
             return $event->getSubject()->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
         } else {
@@ -203,7 +202,7 @@ abstract class AbstractAuthenticationListener implements ListenerInterface
                 $this->logger->debug(sprintf('Redirecting to %s', $this->options['failure_path']));
             }
 
-            $request->getSession()->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed->getMessage());
+            $request->getSession()->set(SecurityContextInterface::AUTHENTICATION_ERROR, $failed);
 
             $response = new Response();
             $response->setRedirect(0 !== strpos($this->options['failure_path'], 'http') ? $request->getUriForPath($this->options['failure_path']) : $this->options['failure_path'], 302);