diff --git a/CHANGELOG-3.4.md b/CHANGELOG-3.4.md index 00f1df4aafe07..0b87fce6174d7 100644 --- a/CHANGELOG-3.4.md +++ b/CHANGELOG-3.4.md @@ -7,6 +7,10 @@ in 3.4 minor versions. To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v3.4.0...v3.4.1 +* 3.4.49 (2021-05-19) + + * security #cve-2021-21424 [Security\Core] Fix user enumeration via response body on invalid credentials (chalasr) + * 3.4.48 (2021-05-12) * security #cve-2021-21424 [Security][Guard] Prevent user enumeration (chalasr) diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php index 63c96abd3a29f..de3b408442f0f 100644 --- a/src/Symfony/Component/HttpKernel/Kernel.php +++ b/src/Symfony/Component/HttpKernel/Kernel.php @@ -67,11 +67,11 @@ abstract class Kernel implements KernelInterface, RebootableInterface, Terminabl private $requestStackSize = 0; private $resetServices = false; - const VERSION = '3.4.48'; - const VERSION_ID = 30448; + const VERSION = '3.4.49'; + const VERSION_ID = 30449; const MAJOR_VERSION = 3; const MINOR_VERSION = 4; - const RELEASE_VERSION = 48; + const RELEASE_VERSION = 49; const EXTRA_VERSION = ''; const END_OF_MAINTENANCE = '11/2020'; diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php index 9557fa00047c1..e5357603c6071 100644 --- a/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php +++ b/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php @@ -84,8 +84,8 @@ public function authenticate(TokenInterface $token) $this->userChecker->checkPreAuth($user); $this->checkAuthentication($user, $token); $this->userChecker->checkPostAuth($user); - } catch (AccountStatusException $e) { - if ($this->hideUserNotFoundExceptions) { + } catch (AuthenticationException $e) { + if ($this->hideUserNotFoundExceptions && ($e instanceof AccountStatusException || $e instanceof BadCredentialsException)) { throw new BadCredentialsException('Bad credentials.', 0, $e); } diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php index c20b6ca2eaa1d..92f987d16ab89 100644 --- a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php +++ b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php @@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Exception\UsernameNotFoundException; use Symfony\Component\Security\Core\Role\Role; use Symfony\Component\Security\Core\Role\SwitchUserRole; +use Symfony\Component\Security\Core\User\UserInterface; class UserAuthenticationProviderTest extends TestCase { @@ -62,6 +63,24 @@ public function testAuthenticateWhenUsernameIsNotFoundAndHideIsTrue() $provider->authenticate($this->getSupportedToken()); } + public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue() + { + $provider = $this->getProvider(); + $provider->expects($this->once()) + ->method('retrieveUser') + ->willReturn($this->createMock(UserInterface::class)) + ; + $provider->expects($this->once()) + ->method('checkAuthentication') + ->willThrowException(new BadCredentialsException()) + ; + + $this->expectException(BadCredentialsException::class); + $this->expectExceptionMessage('Bad credentials.'); + + $provider->authenticate($this->getSupportedToken()); + } + /** * @group legacy */