Closed
Description
Symfony version(s) affected: 4.4.29
Description
If the csrf_protection is set to true and the csrf-token in the request is provided as array (from a malicious user), a TypeError is thrown.
How to reproduce
- Set
csrf_protectiontotrueinpackages/framework.yaml - Create a login form with a
_csrf_tokenfield - Use some external program to send the csrf-token as an array like
_csrf_token[foo]=1 - A TypeError is thrown
Possible Solution
The csrfToken is read in the UsernamePasswordFormAuthenticationListener::attemptAuthentication method via the ParameterBagUtils::getRequestParameterValue. I don't see any option set that the attribute read must be a string (like with the $request->get*() methods). Maybe a good place would be to check is_string (or null) in the listener class.
Additional context
PHP version: 7.4
Stacktrace:
TypeError: Argument 2 passed to Symfony\Component\Security\Csrf\CsrfToken::__construct() must be of the type string or null, array given, called in /vendor/symfony/security-http/Firewall/UsernamePasswordFormAuthenticationListener.php on line 75
#14 /vendor/symfony/security-csrf/CsrfToken.php(24): Symfony\Component\Security\Csrf\CsrfToken::__construct
#13 /vendor/symfony/security-http/Firewall/UsernamePasswordFormAuthenticationListener.php(75): Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener::attemptAuthentication
#12 /vendor/symfony/security-http/Firewall/AbstractAuthenticationListener.php(141): Symfony\Component\Security\Http\Firewall\AbstractAuthenticationListener::authenticate
#11 /vendor/symfony/security-http/Firewall/AbstractListener.php(27): Symfony\Component\Security\Http\Firewall\AbstractListener::__invoke
#10 /vendor/symfony/security-http/Firewall.php(140): Symfony\Component\Security\Http\Firewall::handleRequest
#9 /vendor/symfony/security-http/Firewall.php(130): Symfony\Component\Security\Http\Firewall::callListeners
#8 /vendor/symfony/security-http/Firewall.php(98): Symfony\Component\Security\Http\Firewall::onKernelRequest
#7 /vendor/symfony/event-dispatcher/EventDispatcher.php(304): Symfony\Component\EventDispatcher\EventDispatcher::Symfony\Component\EventDispatcher\{closure}
#6 /vendor/symfony/event-dispatcher/EventDispatcher.php(264): Symfony\Component\EventDispatcher\EventDispatcher::doDispatch
#5 /vendor/symfony/event-dispatcher/EventDispatcher.php(239): Symfony\Component\EventDispatcher\EventDispatcher::callListeners
#4 /vendor/symfony/event-dispatcher/EventDispatcher.php(73): Symfony\Component\EventDispatcher\EventDispatcher::dispatch
#3 /vendor/symfony/http-kernel/HttpKernel.php(134): Symfony\Component\HttpKernel\HttpKernel::handleRaw
#2 /vendor/symfony/http-kernel/HttpKernel.php(80): Symfony\Component\HttpKernel\HttpKernel::handle
#1 /vendor/symfony/http-kernel/Kernel.php(201): Symfony\Component\HttpKernel\Kernel::handle
#0 /public/index.php(25): null