Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] Don't allow empty username or empty password#46118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged

Conversation

@bikalbasnet
Copy link

@bikalbasnetbikalbasnet commentedApr 20, 2022
edited
Loading

QA
Branch?6.2
Bug fix?no
New feature?yes
Deprecations?yes
Tickets#46100
LicenseMIT
Doc PR-

Reopened from#46109 into6.1 branch as this is not a bug rather a security feature

@chalasr
Copy link
Member

This is a BC break, which Symfony doesn't allow in minor versions. We need to deprecate passing empty strings at first, then convert the deprecation to an error in the next major version.

bikalbasnet reacted with eyes emoji

@fabpotfabpot modified the milestones:6.1,6.2Apr 22, 2022
@bikalbasnetbikalbasnetforce-pushed the6.1-not-allow-empty-usr-pwd branch from1a80ed6 to97c716eCompareApril 24, 2022 06:37
@bikalbasnet
Copy link
Author

@chalasr Do I need to create a newUPGRADE-6.2.md myself right or have to wait until6.2 branch is created?

@wouterj
Copy link
Member

We'll create the 6.2 after the stabilization period, you can then rebase this PR on the new 6.1 branch. I guess you can create a newUPGRADE-6.2.md file.

chalasr and bikalbasnet reacted with thumbs up emoji

@fabpotfabpotforce-pushed the6.1-not-allow-empty-usr-pwd branch from71e61b2 todb5afbdCompareJuly 20, 2022 16:39
@fabpot
Copy link
Member

Thank you@bikalbasnet.

@adrianrudnik
Copy link
Contributor

adrianrudnik commentedMar 5, 2023
edited
Loading

Just came across this in some application tests. Right now I get the 401 HTTP status code and the user deprecation. What is the upcoming target? From the other closed commits I assume 400 HTTP status code instead?

The namingPassing empty username or password parameter when using JsonLoginAuthenticator is not supported anymore is somewhat strange, as JSON clients still could send empty usernames and passwords or is there a change in this mechanic planned?

@chalasr
Copy link
Member

@adrianrudnik I'm not sure to truly understand what is the question here.
Anyway if you think there's something wrong or inconsistent, please consider opening a separate issue with enough details to reproduce.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@chalasrchalasrchalasr requested changes

@fabpotfabpotfabpot approved these changes

@wouterjwouterjAwaiting requested review from wouterjwouterj is a code owner

Assignees

No one assigned

Projects

None yet

Milestone

6.2

Development

Successfully merging this pull request may close these issues.

6 participants

@bikalbasnet@chalasr@wouterj@fabpot@adrianrudnik@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp