Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit95d6a7d

Browse files
committed
[#4606] Updating thanks to comments from everyone!
1 parentd9a9310 commit95d6a7d

File tree

4 files changed

+46
-49
lines changed

4 files changed

+46
-49
lines changed

‎components/security/secure-tools.rst

Lines changed: 16 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,9 @@
11
Securely Comparing Strings and Generating Random Numbers
22
========================================================
33

4-
..versionadded::2.2
5-
The ``StringUtils`` and ``SecureRandom`` classes were introduced in Symfony
6-
2.2
7-
8-
The Symfony Security component comes with a collection of nice utilities related
9-
to security. These utilities are used by Symfony, but you should also use
10-
them if you want to solve the problem they address.
4+
The Symfony Security component comes with a collection of nice utilities
5+
related to security. These utilities are used by Symfony, but you should
6+
also use them if you want to solve the problem they address.
117

128
Comparing Strings
139
~~~~~~~~~~~~~~~~~
@@ -22,10 +18,15 @@ algorithm; you can use the same strategy in your own code thanks to the
2218

2319
use Symfony\Component\Security\Core\Util\StringUtils;
2420

25-
// is password1 equals to password2?
26-
$bool = StringUtils::equals($password1, $password2);
21+
// is some known string (e.g. password) equal to some user input?
22+
$bool = StringUtils::equals($knownString, $userInput);
23+
24+
..caution::
25+
26+
To avoid timing attacks, the known string must be the first argument
27+
and the user-entered string the second.
2728

28-
Generating asecure random Number
29+
Generating aSecure random Number
2930
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3031

3132
Whenever you need to generate a secure random number, you are highly
@@ -39,13 +40,15 @@ encouraged to use the Symfony
3940

4041
The
4142
:method:`Symfony\\Component\\Security\\Core\\Util\\SecureRandom::nextBytes`
42-
methods returns a random string composed of the number of characters passed as
43+
method returns a random string composed of the number of characters passed as
4344
an argument (10 in the above example).
4445

45-
The SecureRandom class works better when OpenSSL is installed but when it's
46+
The SecureRandom class works better when OpenSSL is installed. But when it's
4647
not available, it falls back to an internal algorithm, which needs a seed file
4748
to work correctly. Just pass a file name to enable it::
4849

50+
use Symfony\Component\Security\Core\Util\SecureRandom;
51+
4952
$generator = new SecureRandom('/some/path/to/store/the/seed.txt');
5053
$random = $generator->nextBytes(10);
5154

@@ -54,4 +57,4 @@ to work correctly. Just pass a file name to enable it::
5457
If you're using the Symfony Framework, you can access a secure random
5558
instance directly from the container: its name is ``security.secure_random``.
5659

57-
.. _`Timing attack`:http://en.wikipedia.org/wiki/Timing_attack
60+
.. _`Timing attack`:http://en.wikipedia.org/wiki/Timing_attack

‎cookbook/security/access_control.rst

Lines changed: 22 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
Howdoes the Security access_control Work?
1+
HowDoes the Security access_control Work?
22
==========================================
33

44
For each incoming request, Symfony checks each ``access_control`` entry
@@ -150,33 +150,24 @@ options:
150150

151151
.. _book-security-securing-ip:
152152

153-
Securing by IP
154-
--------------
153+
Matching access_control By IP
154+
-----------------------------
155155

156-
Certain situations may arise when you may need to restrict access to a given
157-
path based on IP. This is particularly relevant in the case of
158-
:ref:`Edge Side Includes<edge-side-includes>` (ESI), for example. When ESI is
159-
enabled, it's recommended to secure access to ESI URLs. Indeed, some ESI may
160-
contain some private content like the current logged in user's information. To
161-
prevent any direct access to these resources from a web browser (by guessing the
162-
ESI URL pattern), the ESI route **must** be secured to be only visible from
163-
the trusted reverse proxy cache.
164-
165-
..versionadded::2.3
166-
Version 2.3 allows multiple IP addresses in a single rule with the ``ips: [a, b]``
167-
construct. Prior to 2.3, users should create one rule per IP address to match and
168-
use the ``ip`` key instead of ``ips``.
156+
Certain situations may arise when you need to have an ``access_control``
157+
entry that *only* matches requests coming from some IP address or range.
158+
For example, this *could* be used to deny access to a URL pattern to all
159+
requests *except* those from a trusted, internal server.
169160

170161
..caution::
171162

172-
As you'll read in the explanation below the example, the ``ip`` option
173-
does not restrict to a specific IP address. Instead, using the ``ip``
163+
As you'll read in the explanation below the example, the ``ips`` option
164+
does not restrict to a specific IP address. Instead, using the ``ips``
174165
key means that the ``access_control`` entry will only match this IP address,
175166
and users accessing it from a different IP address will continue down
176167
the ``access_control`` list.
177168

178-
Here is an example of how youmight secure all ESI routes that start with a
179-
given prefix, ``/esi``,fromoutside access:
169+
Here is an example of how youconfigure some example ``/internal*`` URL
170+
pattern so that it is only accessible by requestsfromthe local server itself:
180171

181172
..configuration-block::
182173

@@ -186,8 +177,9 @@ given prefix, ``/esi``, from outside access:
186177
security:
187178
# ...
188179
access_control:
189-
-{ path: ^/esi, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1, ::1] }
190-
-{ path: ^/esi, roles: ROLE_NO_ACCESS }
180+
#
181+
-{ path: ^/internal, roles: IS_AUTHENTICATED_ANONYMOUSLY, ips: [127.0.0.1, ::1] }
182+
-{ path: ^/internal, roles: ROLE_NO_ACCESS }
191183
192184
..code-block::xml
193185
@@ -227,19 +219,19 @@ given prefix, ``/esi``, from outside access:
227219
),
228220
));
229221
230-
Here is how it works when the path is ``/esi/something`` coming from the
231-
``10.0.0.1`` IP:
222+
Here is how it works when the path is ``/internal/something`` coming from
223+
the external IP address``10.0.0.1``:
232224

233225
* The first access control rule is ignored as the ``path`` matches but the
234-
``ip`` does not match either of the IPs listed;
226+
IP address does not match either of the IPs listed;
235227

236228
* The second access control rule is enabled (the only restriction being the
237-
``path`` and it matches): as the user cannot have the ``ROLE_NO_ACCESS``
238-
role as it's not defined,access is denied (the``ROLE_NO_ACCESS``rolecan
239-
be anythingthat does not match an existing role, it just serves as a trick
240-
to alwaysdeny access).
229+
``path``) andsoit matches. If you make sure that no users ever have
230+
``ROLE_NO_ACCESS``, thenaccess is denied (``ROLE_NO_ACCESS`` can be anything
231+
that does not match an existing role, it just serves as a trick to always
232+
deny access).
241233

242-
Now, if the same request comes from ``127.0.0.1`` or ``::1`` (the IPv6 loopback
234+
But if the same request comes from ``127.0.0.1`` or ``::1`` (the IPv6 loopback
243235
address):
244236

245237
* Now, the first access control rule is enabled as both the ``path`` and the

‎cookbook/security/form_login_setup.rst

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,9 @@ How to Build a Traditional Login Form
44
..tip::
55

66
If you need a login form and are storing users in some sort of a database,
7-
thenseeyou should consider using `FOSUserBundle`_, which helps you
8-
buildyour ``User`` object and gives you many routes and controllers
9-
for commontasks like login, registration and forgot password.
7+
then you should consider using `FOSUserBundle`_, which helps you build
8+
your ``User`` object and gives you many routes and controllers for common
9+
tasks like login, registration and forgot password.
1010

1111
In this entry, you'll build a traditional login form. Of course, when the
1212
user logs in, you can load your users from anywhere - like the database.
@@ -69,7 +69,9 @@ First, enable form login under your firewall:
6969
7070
..tip::
7171

72-
The ``login_path`` and ``check_path`` can also be route names.
72+
The ``login_path`` and ``check_path`` can also be route names (but cannot
73+
have mandatory wildcards - e.g. ``/login/{foo}`` where ``foo`` has no
74+
default value).
7375

7476
Now, when the security system initiates the authentication process, it will
7577
redirect the user to the login form ``/login``. Implementing this login form
@@ -99,7 +101,6 @@ under your ``form_login`` configuration (``/login`` and ``/login_check``):
99101
100102
// src/AppBundle/Controller/SecurityController.php
101103
// ...
102-
103104
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
104105
105106
class SecurityController extends Controller
@@ -410,6 +411,7 @@ for the login page:
410411
411412
# ...
412413
firewalls:
414+
# order matters! This must be before the ^/ firewall
413415
login_firewall:
414416
pattern:^/login$
415417
anonymous:~

‎reference/configuration/security.rst

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -228,7 +228,7 @@ Each part will be explained in the next section.
228228
# use the urldecoded format
229229
path: ~# Example: ^/path to resource/
230230
host:~
231-
ip:~
231+
ips:[]
232232
methods:[]
233233
roles:[]
234234
role_hierarchy:

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp