Merge branch '3.0'v3.1.0-BETA1

* 3.0: (31 commits)
  Drop hirak/prestissimo
  [MonologBridge] Uninstallable together with symfony/http-kernel in 3.0.6
  bumped Symfony version to 3.0.7
  updated VERSION for 3.0.6
  updated CHANGELOG for 3.0.6
  bumped Symfony version to 2.8.7
  updated VERSION for 2.8.6
  updated CHANGELOG for 2.8.6
  bumped Symfony version to 2.7.14
  updated VERSION for 2.7.13
  updated CHANGELOG for 2.7.13
  bumped Symfony version to 2.3.42
  [Debug] Fix fatal error handlers on PHP 7
  updated VERSION for 2.3.41
  update CONTRIBUTORS for 2.3.41
  updated CHANGELOG for 2.3.41
  fixed bad merge
  Fixed issue with blank password with Ldap
  limited the maximum length of a submitted username
  [2.3][Component/Security] Fixed phpdoc in AnonymousToken constructor for user param
  ...

Conflicts:
	src/Symfony/Component/DependencyInjection/Compiler/AutowirePass.php
	src/Symfony/Component/DependencyInjection/Tests/Compiler/AutowirePassTest.php
	src/Symfony/Component/HttpKernel/Kernel.php

2 files changed, 10 insertions, 0 deletions

diff --git a/Http/Firewall/SimpleFormAuthenticationListener.php b/Http/Firewall/SimpleFormAuthenticationListener.php
index 76c66bc..7c940c3 100644
--- a/Http/Firewall/SimpleFormAuthenticationListener.php
+++ b/Http/Firewall/SimpleFormAuthenticationListener.php
@@ -21,6 +21,7 @@ use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerI
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Symfony\Component\Security\Http\Authentication\SimpleFormAuthenticatorInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\ParameterBagUtils;
@@ -107,6 +108,10 @@ class SimpleFormAuthenticationListener extends AbstractAuthenticationListener
             $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
         }
 
+        if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
+            throw new BadCredentialsException('Invalid username.');
+        }
+
         $request->getSession()->set(Security::LAST_USERNAME, $username);
 
         $token = $this->simpleAuthenticator->createToken($request, $username, $password, $this->providerKey);
diff --git a/Http/Firewall/UsernamePasswordFormAuthenticationListener.php b/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
index c8195ce..426457d 100644
--- a/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
+++ b/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
@@ -23,6 +23,7 @@ use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
@@ -83,6 +84,10 @@ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationL
             $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
         }
 
+        if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
+            throw new BadCredentialsException('Invalid username.');
+        }
+
         $request->getSession()->set(Security::LAST_USERNAME, $username);
 
         return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey));