Skip to content

Commit

Permalink
[Security] FormLoginAuthenticator: fail for non-string password
Browse files Browse the repository at this point in the history
  • Loading branch information
@dmaicher @nicolas-grekas
dmaicher authored and nicolas-grekas committed Aug 23, 2023
1 parent f874dd2 commit dc5660e
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,10 @@ private function getCredentials(Request $request): array

$request->getSession()->set(Security::LAST_USERNAME, $credentials['username']);

if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) || !method_exists($credentials['password'], '__toString'))) {
throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));
}

return $credentials;
}

Expand Down
39 changes: 39 additions & 0 deletions src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
use Symfony\Component\Security\Http\Authenticator\FormLoginAuthenticator;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
use Symfony\Component\Security\Http\HttpUtils;
use Symfony\Component\Security\Http\Tests\Authenticator\Fixtures\PasswordUpgraderProvider;

Expand Down Expand Up @@ -126,6 +127,44 @@ public function testHandleNonStringUsernameWithToString($postOnly)
$this->authenticator->authenticate($request);
}

/**
* @dataProvider postOnlyDataProvider
*/
public function testHandleNonStringPasswordWithArray(bool $postOnly)
{
$this->expectException(BadRequestHttpException::class);
$this->expectExceptionMessage('The key "_password" must be a string, "array" given.');

$request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => []]);
$request->setSession($this->createSession());

$this->setUpAuthenticator(['post_only' => $postOnly]);
$this->authenticator->authenticate($request);
}

/**
* @dataProvider postOnlyDataProvider
*/
public function testHandleNonStringPasswordWithToString(bool $postOnly)
{
$passwordObject = new class() {
public function __toString()
{
return 's$cr$t';
}
};

$request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => $passwordObject]);
$request->setSession($this->createSession());

$this->setUpAuthenticator(['post_only' => $postOnly]);
$passport = $this->authenticator->authenticate($request);

/** @var PasswordCredentials $credentialsBadge */
$credentialsBadge = $passport->getBadge(PasswordCredentials::class);
$this->assertSame('s$cr$t', $credentialsBadge->getPassword());
}

public static function postOnlyDataProvider()
{
yield [true];
Expand Down

0 comments on commit dc5660e

Please sign in to comment.