Commite34cd7d

committed

Merge branch '5.2' into 5.x

* 5.2: [Security\Core] Fix user enumeration via response body on invalid credentials Update VERSION for 3.4.48 Update CHANGELOG for 3.4.48

2 parentsd319beb +309f36d commite34cd7dCopy full SHA for e34cd7d

File tree

+21

-2

lines changed

src/Symfony/Component/Security/Core
- Authentication/Provider
  - UserAuthenticationProvider.php
- Tests/Authentication/Provider
  - UserAuthenticationProviderTest.php

+21

-2

lines changed

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@`
`18`	`18`	`useSymfony\Component\Security\Core\Exception\AuthenticationException;`
`19`	`19`	`useSymfony\Component\Security\Core\Exception\AuthenticationServiceException;`
`20`	`20`	`useSymfony\Component\Security\Core\Exception\BadCredentialsException;`
	`21`	`+useSymfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;`
`21`	`22`	`useSymfony\Component\Security\Core\Exception\UserNotFoundException;`
`22`	`23`	`useSymfony\Component\Security\Core\User\UserCheckerInterface;`
`23`	`24`	`useSymfony\Component\Security\Core\User\UserInterface;`
`@@ -84,8 +85,8 @@ public function authenticate(TokenInterface $token)`
`84`	`85`	`$this->userChecker->checkPreAuth($user);`
`85`	`86`	`$this->checkAuthentication($user,$token);`
`86`	`87`	`$this->userChecker->checkPostAuth($user);`
`87`		`- }catch (AccountStatusException$e) {`
`88`		`-if ($this->hideUserNotFoundExceptions) {`
	`88`	`+ }catch (AccountStatusException\|BadCredentialsException$e) {`
	`89`	`+if ($this->hideUserNotFoundExceptions && !$einstanceof CustomUserMessageAccountStatusException) {`
`89`	`90`	`thrownewBadCredentialsException('Bad credentials.',0,$e);`
`90`	`91`	`}`
`91`	`92`

Lines changed: 18 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -69,6 +69,24 @@ public function testAuthenticateWhenUsernameIsNotFoundAndHideIsTrue()`
`69`	`69`	`$provider->authenticate($this->getSupportedToken());`
`70`	`70`	`}`
`71`	`71`
	`72`	`+publicfunctiontestAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()`
	`73`	`+ {`
	`74`	`+$provider =$this->getProvider();`
	`75`	`+$provider->expects($this->once())`
	`76`	`+ ->method('retrieveUser')`
	`77`	`+ ->willReturn($this->createMock(UserInterface::class))`
	`78`	`+ ;`
	`79`	`+$provider->expects($this->once())`
	`80`	`+ ->method('checkAuthentication')`
	`81`	`+ ->willThrowException(newBadCredentialsException())`
	`82`	`+ ;`
	`83`	`+`
	`84`	`+$this->expectException(BadCredentialsException::class);`
	`85`	`+$this->expectExceptionMessage('Bad credentials.');`
	`86`	`+`
	`87`	`+$provider->authenticate($this->getSupportedToken());`
	`88`	`+ }`
	`89`	`+`
`72`	`90`	`publicfunctiontestAuthenticateWhenProviderDoesNotReturnAnUserInterface()`
`73`	`91`	`{`
`74`	`92`	`$this->expectException(AuthenticationServiceException::class);`

Comments

(0)