bug #36974 [Security] Fixed handling of CSRF logout error (wouterj)

chalasr · chalasr · commit ce61bb0750ae · 2020-05-26T17:59:18.000+02:00
This PR was merged into the 3.4 branch. Discussion ---------- [Security] Fixed handling of CSRF logout error | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #36814 | License | MIT | Doc PR | - 8 years ago, a typo was made while refactoring the `ExceptionListener`, loosing this logic (46071f3). I think we should fix it. The `LogoutException` is a very generic name for something only used when the CSRF token is invalid. Should we match the exception message to make sure only this CSRF error is transformed into 403? I didn't yet do it because any usage of `LogoutException` would have resulted in 500, which always is worse than 403. Commits ------- 50348f2 Fixed handling of CSRF logout error
diff --git a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
@@ -102,7 +102,7 @@ public function onKernelException(GetResponseForExceptionEvent $event)
             }
 
             if ($exception instanceof LogoutException) {
-                $this->handleLogoutException($exception);
+                $this->handleLogoutException($event, $exception);
 
                 return;
             }
@@ -172,10 +172,12 @@ private function handleAccessDeniedException(GetResponseForExceptionEvent $event
         }
     }
 
-    private function handleLogoutException(LogoutException $exception)
+    private function handleLogoutException(GetResponseForExceptionEvent $event, LogoutException $exception)
     {
+        $event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception));
+
         if (null !== $this->logger) {
-            $this->logger->info('A LogoutException was thrown.', ['exception' => $exception]);
+            $this->logger->info('A LogoutException was thrown; wrapping with AccessDeniedHttpException', ['exception' => $exception]);
         }
     }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php
@@ -21,6 +21,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\LogoutException;
 use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Security\Http\Firewall\ExceptionListener;
@@ -160,6 +161,17 @@ public function testAccessDeniedExceptionNotFullFledged(\Exception $exception, \
         $this->assertSame(null === $eventException ? $exception : $eventException, $event->getException()->getPrevious());
     }
 
+    public function testLogoutException()
+    {
+        $event = $this->createEvent(new LogoutException('Invalid CSRF.'));
+
+        $listener = $this->createExceptionListener();
+        $listener->onKernelException($event);
+
+        $this->assertEquals('Invalid CSRF.', $event->getException()->getMessage());
+        $this->assertEquals(403, $event->getException()->getStatusCode());
+    }
+
     public function getAccessDeniedExceptionProvider()
     {
         return [

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ public function onKernelException(GetResponseForExceptionEvent $event)`
`102`	`102`	`}`
`103`	`103`
`104`	`104`	`if ($exception instanceof LogoutException) {`
`105`		`- $this->handleLogoutException($exception);`
	`105`	`+ $this->handleLogoutException($event, $exception);`
`106`	`106`
`107`	`107`	`return;`
`108`	`108`	`}`
`@@ -172,10 +172,12 @@ private function handleAccessDeniedException(GetResponseForExceptionEvent $event`
`172`	`172`	`}`
`173`	`173`	`}`
`174`	`174`
`175`		`- private function handleLogoutException(LogoutException $exception)`
	`175`	`+ private function handleLogoutException(GetResponseForExceptionEvent $event, LogoutException $exception)`
`176`	`176`	`{`
	`177`	`+ $event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception));`
	`178`	`+`
`177`	`179`	`if (null !== $this->logger) {`
`178`		`- $this->logger->info('A LogoutException was thrown.', ['exception' => $exception]);`
	`180`	`+ $this->logger->info('A LogoutException was thrown; wrapping with AccessDeniedHttpException', ['exception' => $exception]);`
`179`	`181`	`}`
`180`	`182`	`}`
`181`	`183`