New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC][Security] Deprecate UserInterface
implementations not implementing EquatableInterface
too
#37036
Comments
We cannot add new deprecations in 3.4 or 4.4 |
I think this is a very valid point and thus good to consider (for 5.2 - as pointed out by @stof). Interestingly, this used to be the case in 2.0. It was changed in 2.1, see #2669 and #2927. If I understand correctly, the main arguments where:
|
I know, but BC breaks should not be added in minor releases and 4.4 added one. Adding this deprecation would not hurt any codebase, but upgrading from 3.4 or 4.3 to 4.4 could result in an broken app without any previous alert. This is the easiest way I found to prevent this, but maybe we can find a better one. |
Ok, I see. I'm still asking me two things:
Surely the answer to the second question is the first one.
Maybe we can rename
|
While I agree on the problem, I don't agree on the solution proposed. There is another problem to be solved ASAP and that remains since a long time (see: #24731 , or here , or here) that is that the FULL User object is serialized in the session! In most of the case, it is not a problem since the User is just an alone entity, but as soon as you add relations to it, the linked objects may be serialized along with the User Entity ! Yesterday, my SF 5.1.3 was trying to store 100Kb of serialized data in a blob limited to 64Kb (as I use I don't like the solution here of relying on
You would end up with all credit cards data stored in session files! This would be a huge security breach!!! I hope credit card handling is not this simple, but this is to be considered for any kind of sensitive data... My opinion for a solution to that problem would be to add a method that returns a unique identifier of the User based on freely choosable fields. Ex:
This way, instead of storing the user in session, we just store this identifier (we also have to store the id separately to retrieve user in DB) and on reload, we just compare the stored identifier to the fresh loaded user from DB. This also would enable developers to choose which fields they want to use to invalidate the session. If I don't include the Actually, I had also modified my So, again, I agree there is something to do here, but please, do consider all parameters of the problem before making a change! Thanks |
For that reason I don't use
|
Thanks for your reply @thibaut-decherit , I was just about to add a comment because the I was further reading a resource pointed to me by @tarlepp , which reference another page about the same problem. So clearly this is known problem. I clearly agree with both approaches, which use a separate class to contain the data stored in session, but still it is a patch and new users won't be aware of the problem until they face an error. Really, there is something to be done here to decouple the Entity and the session object. Maybe not as I was suggesting with only a string as identifier, but maybe more with some Data Transfer Object, but anyway, it is a problem that is to be solved because it leaks entity data into session objects, and that is a big security threat... |
Thank you for this suggestion. |
Yes, I'd like it |
Thank you for this suggestion. |
Yes, please |
Thank you for this suggestion. |
The security system offers an interesting feature: when a request is authenticated from a token stored in session, the user instance is refreshed and compared to check if it has changed to prevent authentication with stale user data. The problem is how this comparison is made when the user object does not implements
EquatableInterface
.In Symfony 3.4, current code compares the output of
getUsername
,getPassword
andgetSalt
. If the user class implementsAdvancedUserInterface
, it compares the output ofisAccountNonExpired
,isAccountNonLocked
,isAccountNonLocked
andisEnabled
too.In Symfony 4.4 a new feature was added to check if the user roles have changed (#31177), but the implementation has a bug (#35941) that compares the refreshed user roles with token roles instead of comparing them with the stored user instance. This introduced a BC break fixed in #35944 and reverted in #37008. Now we have Symfony 4.4 with a known (and undocumented) BC break that unintentionally prevents to add to the token object any role not present in user object.
Usually, symfony apps use custom
UserInterface
implementations, so comparing two concrete object instances could be a tricky bussiness. To prevent this my proposition is:Deprecate
UserInterface
implementations not implementingEquatableInterface
too in Symfony 5.2, and makeUserInterface
to extendEquatableInterface
in Symfony 6 discarding the code that comparesUserInterface
instances that do not implementEquatableInterface
.But this will not solve the problem with the BC break introduced in Symfony 4.4, so I propose to deprecate this in Symfony 3.4 too, but maybe with a different message pointing to the known BC break unintentionally introduced in Symfony 4.4.
Although Symfony 4.3 is only supported for security fixes, I think this deprecation should be included too to prevent problems when upgrading to Symfony 4.4.
Finally, if this is deprecated in Symfony 3.4 and Symfony 5.2, should this deprecation affects to Symfony 4.4, 5.0 and 5.1 too?
The text was updated successfully, but these errors were encountered: