Description

Hello there !

I'm opening a dedicated issue after my original comment here

A recent 6.2 update introduced a security test in UserBadge.

A new MAX_USERNAME_LENGTH constant, set to 4096, test the length of the user identifier to prevent session storage flooding.

The fact that the constant is arbitrary set to 4096 because "it should be more than enough for normal usages" is a problem, because it only relies on personal apreciation.

There should be a way, for people who know the risks, to easily override or bypass that restriction or to change the value of MAX_USERNAME_LENGTH, but the fact that it is a class constant accessed with the "self::" keyword makes it difficult.

I gave an example where this could lead to some blocking situation in my original comment here.

A long term solution could be to add a configuration parameter to properly override MAX_USERNAME_LENGTH if set.

A short term solution could be to, at least, use the "static::" keyword in the MAX_USERNAME_LENGTH test. In that way, it would be possible to extends UserBadge with a custom class, and redefine MAX_USERNAME_LENGTH inside the extending class.

Z.

Example

Short term proposition :

In UserBadge.

Change :

if (\strlen($userIdentifier) > self::MAX_USERNAME_LENGTH) {

    throw new BadCredentialsException('Username too long.');

}

For :

if (\strlen($userIdentifier) > static::MAX_USERNAME_LENGTH) {

    throw new BadCredentialsException('Username too long.');

}