[Security][LoginLink] Request missing parameters throws 500 #48291
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Symfony version(s) affected
6.1.2
Description
When login_check is requested and the request parameters are missing (user, hash, expires) it throws 500 exceptions as verifySignatureHash method needs 3 not null parameters .
How to reproduce
Implement LoginLink and then request login via link:
https://mydomain.eu/login_check?amp%3Bexpires=1669158801&%3Bhash=YTU2NzdiNjE3ZGZhZRTHJH5678c1ODcyOTAyNDc0MzhiFiZmRlOWRjMjE4NDhhOGE4ZDcxNjU5OTUzNw%3D%3D%7CYTg5Y2JlNjY4MmQxZWU0M...5lc3M&user=myemail%40example.comYou see that here all parameters are provided but actually they are not. Due to some weird solution in our client's corporation when they get an email with the link, their inner security solution encodes ampersand to
amp%3B. This makes those parameters obsolete.Possible Solution
We should check in
vendor/symfony/security-http/LoginLink/LoginLinkHandler.php:92if those parameters are not null and if yes, then throw an exception that can by handled.Additional Context
Uncaught Error: Symfony\Component\Security\Core\Signature\SignatureHasher::verifySignatureHash(): Argument #2 ($expires) must be of type int, null given, called in /vendor/symfony/security-http/LoginLink/LoginLinkHandler.php on line 96The text was updated successfully, but these errors were encountered: