bug #36223 [Security][Http][SwitchUserListener] Ignore all non existent username protection errors (fancyweb)

nicolas-grekas · nicolas-grekas · commit 15edfd39d4b3 · 2020-04-01T11:28:26.000+02:00
This PR was merged into the 4.4 branch. Discussion ---------- [Security][Http][SwitchUserListener] Ignore all non existent username protection errors | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | #36174 | License | MIT | Doc PR | - Since we generate the non existent username blindly, it can lead to Doctrine exceptions or any other exception. We can catch all exceptions here but I guess it reduces the protection since the SQL query was not executed? Alternative: we can only catch Doctrine DriverException (in addition to the existing AuthenticationException) and only silent the reported error codes? Commits ------- 42311d5 [Security][Http][SwitchUserListener] Ignore all non existent username protection errors
diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@@ -168,7 +168,7 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn
 
             try {
                 $this->provider->loadUserByUsername($nonExistentUsername);
-            } catch (AuthenticationException $e) {
+            } catch (\Exception $e) {
             }
         } catch (AuthenticationException $e) {
             $this->provider->loadUserByUsername($currentUsername);

Original file line number	Diff line number	Diff line change
`@@ -168,7 +168,7 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn`
`168`	`168`
`169`	`169`	`try {`
`170`	`170`	`$this->provider->loadUserByUsername($nonExistentUsername);`
`171`		`- } catch (AuthenticationException $e) {`
	`171`	`+ } catch (\Exception $e) {`
`172`	`172`	`}`
`173`	`173`	`} catch (AuthenticationException $e) {`
`174`	`174`	`$this->provider->loadUserByUsername($currentUsername);`