bug #26173 [Security] fix accessing request values (xabbuh)

nicolas-grekas · nicolas-grekas · commit ee2892e84724 · 2018-02-14T13:12:46.000+01:00
This PR was merged into the 2.8 branch. Discussion ---------- [Security] fix accessing request values | Q | A | ------------- | --- | Branch? | 2.8 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #26172 | License | MIT | Doc PR | Commits ------- 1fc5df6 fix accessing request values
diff --git a/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php
@@ -119,9 +119,13 @@ protected function attemptAuthentication(Request $request)
             }
         }
 
-        $requestBag = $this->options['post_only'] ? $request->request : $request;
-        $username = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['username_parameter']);
-        $password = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['password_parameter']);
+        if ($this->options['post_only']) {
+            $username = ParameterBagUtils::getParameterBagValue($request->request, $this->options['username_parameter']);
+            $password = ParameterBagUtils::getParameterBagValue($request->request, $this->options['password_parameter']);
+        } else {
+            $username = ParameterBagUtils::getRequestParameterValue($request, $this->options['username_parameter']);
+            $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
+        }
 
         if (!\is_string($username) || (\is_object($username) && !\method_exists($username, '__toString'))) {
             throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], \gettype($username)));
