Skip to content

[ Security ][ Firewall ] Bug in the last version with SimpleFormAuthentication #26172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
luismatesanz opened this issue Feb 14, 2018 · 3 comments
Closed

[ Security ][ Firewall ] Bug in the last version with SimpleFormAuthentication #26172

luismatesanz opened this issue Feb 14, 2018 · 3 comments
Labels
Bug Security Status: Reviewed

Comments

@luismatesanz
Copy link

luismatesanz commented Feb 14, 2018
edited
Loading

Q A
Bug report? yes
Feature request? no
BC Break report?
RFC?
Symfony version Since version 2.7

In the last version im detected a bug in component SimpleFormAuthentication when check if only accept method POST. If configuration security form set "post_only: false" the variable $requestBag get a Object Request and try getParameterBagValue with object wrong.

path:symfony/symfony/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php
namespace Symfony\Component\Security\Http\Firewall;
method: protected function attemptAuthentication(Request $request)
line: 102

        $requestBag = $this->options['post_only'] ? $request->request : $request;
        $username = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['username_parameter']);
        $password = ParameterBagUtils::getParameterBagValue($requestBag, $this->options['password_parameter']);

For fix the problem i need downgrade version.
@linaori
Copy link
Contributor

linaori commented Feb 14, 2018

In 2.7 that class did not exist yet, but as of 2.8 it does. The method signature is:

public static function getParameterBagValue(ParameterBag $parameters, $path)

https://github.com/symfony/symfony/blob/2.8/src/Symfony/Component/Security/Http/ParameterBagUtils.php#L39

In 2.7 this was using ->get() directly on either the request or parameter bag, which works due to ducktyping:

$requestBag = $this->options['post_only'] ? $request->request : $request;
$username = $requestBag->get($this->options['username_parameter'], null, true);
$password = $requestBag->get($this->options['password_parameter'], null, true);

https://github.com/symfony/symfony/blob/2.7/src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php#L111-L113

I can confirm this is a bug in 2.8+.

Status: reviewed

@chalasr
Copy link
Member

chalasr commented Feb 14, 2018

👍 The form_login listener has been fixed in #26111, same patch needed

@xabbuh xabbuh mentioned this issue Feb 14, 2018
Merged
@xabbuh
Copy link
Member

xabbuh commented Feb 14, 2018

see #26173

nicolas-grekas added a commit that referenced this issue Feb 14, 2018
@nicolas-grekas
bug #26173 [Security] fix accessing request values (xabbuh)
ee2892e 
This PR was merged into the 2.8 branch.

Discussion
----------

[Security] fix accessing request values

| Q             | A
| ------------- | ---
| Branch?       | 2.8
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #26172
| License       | MIT
| Doc PR        |

Commits
-------

1fc5df6 fix accessing request values
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@nicolas-grekas @linaori @xabbuh @chalasr @luismatesanz @carsonbot