Commit0e14ecf

committed

[Security] Enforce maximum username length

1 parentf444462 commit0e14ecfCopy full SHA for 0e14ecf

File tree

-0

lines changed

-0

lines changed

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
@@ -205,6 +205,11 @@ using :ref:`the user provider <security-user-providers>`::
`205`	`205`	`// ...`
`206`	`206`	`$passport = new Passport(new UserBadge($email), $credentials);`
`207`	`207`
	`208`	`+..note::`
	`209`	`+`
	`210`	`+ The maximum length allowed for the user identifier is 4096 characters to`
	`211`	+ prevent `session storage flooding`_ attacks.
	`212`	`+`
`208`	`213`	`..note::`
`209`	`214`
`210`	`215`	`You can optionally pass a user loader as second argument to the`
@@ -373,3 +378,5 @@ authenticator methods (e.g. ``createToken()``)::
`373`	`378`	`return new CustomOauthToken($passport->getUser(), $passport->getAttribute('scope'));`
`374`	`379`	`}`
`375`	`380`	`}`
	`381`	`+`
	`382`	+.. _`session storage flooding`:https://symfony.com/blog/cve-2016-4423-large-username-storage-in-session

Comments

(0)