Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] Return null instead of empty username to fix deprecation notice#59586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed
phasdev wants to merge2 commits intosymfony:6.4fromphasdev:fix_59584

Conversation

phasdev
Copy link
Contributor

@phasdevphasdev commentedJan 22, 2025
edited by chalasr
Loading

QA
Branch?6.4
Bug fix?yes
New feature?no
Deprecations?no
IssuesFix#59584
LicenseMIT

RemoteUserAuthenticator may return an empty string when extracting a username from the configured$_SERVER parameter (e.g.REMOTE_USER).

An empty username triggers theUser Deprecated: Since symfony/security-http 7.2: Using an empty string as user identifier is deprecated and will throw an exception in Symfony 8.0.

Returnnull instead of empty username to skip authenticator when username is empty and fix Symfony 8 deprecation notice.

@carsonbot

This comment was marked as outdated.

@phasdev
Copy link
ContributorAuthor

Therelease page shows5.4 accepting security fixes. Since this is part of the Security component, I figured that's where the change should be made. Please let me know if you'd prefer I make this change in6.4 and I'll submit a new PR.

@alexandre-daubois
Copy link
Member

alexandre-daubois commentedJan 24, 2025
edited
Loading

This should be a bug fix, not a security fix. Security fixes corresponds to modifications that address CVEs or vulnerability that endangers apps security, likethese reports.

@phasdevphasdev changed the base branch from5.4 to6.4January 24, 2025 16:47
@phasdev
Copy link
ContributorAuthor

phasdev commentedJan 24, 2025
edited
Loading

@alexandre-daubois Thanks for the clarification; I've changed the base branch to 6.4.

@nicolas-grekas
Copy link
Member

Can you please add a test case to cover this?

@@ -45,6 +45,6 @@ protected function extractUsername(Request $request): ?string
throw new BadCredentialsException(sprintf('User key was not found: "%s".', $this->userKey));
}

return $request->server->get($this->userKey);
return $request->server->get($this->userKey) ?: null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Looking at how the method is used I wonder if we shouldn’t throw aBadCredentialsException here then.

@phasdev
Copy link
ContributorAuthor

Apologies; I ran into some trouble rebasing the commit for a test case so I created a new branch/PR to be safe:#59640

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@xabbuhxabbuhxabbuh left review comments

@chalasrchalasrAwaiting requested review from chalasrchalasr is a code owner

Assignees
No one assigned
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

5 participants
@phasdev@carsonbot@alexandre-daubois@nicolas-grekas@xabbuh
[8]ページ先頭
©2009-2025 Movatter.jp