From e85070088e957a2afae6d096277da34f1ef3be0c Mon Sep 17 00:00:00 2001
From: Robin Chalas <robin.chalas@gmail.com>
Date: Thu, 13 May 2021 12:05:25 +0200
Subject: [PATCH 1/3] [Security\Core] Fix user enumeration via response body on
 invalid credentials

---
 .../Provider/UserAuthenticationProvider.php   |  4 ++--
 .../UserAuthenticationProviderTest.php        | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php
index 9557fa00047c1..e5357603c6071 100644
--- a/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php
+++ b/src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php
@@ -84,8 +84,8 @@ public function authenticate(TokenInterface $token)
             $this->userChecker->checkPreAuth($user);
             $this->checkAuthentication($user, $token);
             $this->userChecker->checkPostAuth($user);
-        } catch (AccountStatusException $e) {
-            if ($this->hideUserNotFoundExceptions) {
+        } catch (AuthenticationException $e) {
+            if ($this->hideUserNotFoundExceptions && ($e instanceof AccountStatusException || $e instanceof BadCredentialsException)) {
                 throw new BadCredentialsException('Bad credentials.', 0, $e);
             }
 
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
index c20b6ca2eaa1d..92f987d16ab89 100644
--- a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
+++ b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
@@ -18,6 +18,7 @@
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
 use Symfony\Component\Security\Core\Role\Role;
 use Symfony\Component\Security\Core\Role\SwitchUserRole;
+use Symfony\Component\Security\Core\User\UserInterface;
 
 class UserAuthenticationProviderTest extends TestCase
 {
@@ -62,6 +63,24 @@ public function testAuthenticateWhenUsernameIsNotFoundAndHideIsTrue()
         $provider->authenticate($this->getSupportedToken());
     }
 
+    public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
+    {
+        $provider = $this->getProvider();
+        $provider->expects($this->once())
+            ->method('retrieveUser')
+            ->willReturn($this->createMock(UserInterface::class))
+        ;
+        $provider->expects($this->once())
+            ->method('checkAuthentication')
+            ->willThrowException(new BadCredentialsException())
+        ;
+
+        $this->expectException(BadCredentialsException::class);
+        $this->expectExceptionMessage('Bad credentials.');
+
+        $provider->authenticate($this->getSupportedToken());
+    }
+
     /**
      * @group legacy
      */

From 184bd684f9dc243c37faa79b8d90f506b3fc4174 Mon Sep 17 00:00:00 2001
From: Fabien Potencier <fabien@potencier.org>
Date: Wed, 19 May 2021 14:06:48 +0200
Subject: [PATCH 2/3] Update CHANGELOG for 3.4.49

---
 CHANGELOG-3.4.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG-3.4.md b/CHANGELOG-3.4.md
index 00f1df4aafe07..0b87fce6174d7 100644
--- a/CHANGELOG-3.4.md
+++ b/CHANGELOG-3.4.md
@@ -7,6 +7,10 @@ in 3.4 minor versions.
 To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
 To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v3.4.0...v3.4.1
 
+* 3.4.49 (2021-05-19)
+
+ * security #cve-2021-21424 [Security\Core] Fix user enumeration via response body on invalid credentials (chalasr)
+
 * 3.4.48 (2021-05-12)
 
  * security #cve-2021-21424 [Security][Guard] Prevent user enumeration (chalasr)

From 13af89214179d9081dbd7c6baeee6a23654f23c2 Mon Sep 17 00:00:00 2001
From: Fabien Potencier <fabien@potencier.org>
Date: Wed, 19 May 2021 14:06:59 +0200
Subject: [PATCH 3/3] Update VERSION for 3.4.49

---
 src/Symfony/Component/HttpKernel/Kernel.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Symfony/Component/HttpKernel/Kernel.php b/src/Symfony/Component/HttpKernel/Kernel.php
index 63c96abd3a29f..de3b408442f0f 100644
--- a/src/Symfony/Component/HttpKernel/Kernel.php
+++ b/src/Symfony/Component/HttpKernel/Kernel.php
@@ -67,11 +67,11 @@ abstract class Kernel implements KernelInterface, RebootableInterface, Terminabl
     private $requestStackSize = 0;
     private $resetServices = false;
 
-    const VERSION = '3.4.48';
-    const VERSION_ID = 30448;
+    const VERSION = '3.4.49';
+    const VERSION_ID = 30449;
     const MAJOR_VERSION = 3;
     const MINOR_VERSION = 4;
-    const RELEASE_VERSION = 48;
+    const RELEASE_VERSION = 49;
     const EXTRA_VERSION = '';
 
     const END_OF_MAINTENANCE = '11/2020';