Skip to content

[Security] Make sure RoleVoter only votes for RoleInterface objects and strings #19965

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Security] Make sure RoleVoter only votes for RoleInterface objects and strings #19965

wants to merge 1 commit into from

Conversation

Gladhon
Copy link

@Gladhon Gladhon commented Sep 19, 2016
edited
Loading

Q A
Branch? "master"
Bug fix? yes
New feature? no
BC breaks? yes
Deprecations? no
Tests pass? yes
Fixed tickets #18042
License MIT
Doc PR

make sure RoleVoter only vote for roles and don't produce fatal error on non-strings.
The BC-Break happen, if someone use a Object as Role by not implementing the RoleInterface but adding a toString method which gives "ROLE_SOMETHING" back. This "feature" breaks.

@sstok
Copy link
Contributor

sstok commented Sep 19, 2016

👍 for this change, but the CS needs some fixing. Please review the fabbot patch (once it's available).

Status: needs work

@backbone87
Copy link
Contributor

obsoletes #19725 #19726

since this fixes the bug described in #18042, it should be backported to 2.x LTS (if any left)

@Gladhon
Copy link
Author

Gladhon commented Sep 21, 2016

what's need to merge it in ?
@sstok cs should be fixed

@javiereguiluz javiereguiluz changed the title [Security] make sure RoleVoter only vote for roles and don't produce [Security] Make sure RoleVoter only votes for RoleInterface objects and strings Sep 28, 2016
@javiereguiluz
Copy link
Member

👍

This looks like "the right thing to do" ... but we need to think carefully about the possible BC breaks.

@backbone87
Copy link
Contributor

The only BC break was mentioned in the start post: When someone uses an object with __toString method without implementing the RoleInterface and using this object as an attribute to be checked by the role voter. I would consider this as a usage out of scope of the role voter API, because this voter is meant to operate on real strings or objects of type RoleInterface.

@fabpot
Copy link
Member

fabpot commented Oct 6, 2016

merged in 2.7 via #19725

@fabpot fabpot closed this Oct 6, 2016
@Gladhon
Copy link
Author

Gladhon commented Oct 6, 2016
edited
Loading

@fabpot great but it still not solved in the master branch

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Oct 6, 2016
edited
Loading

@Gladhon that's the process: bugs are fixed in the lowest branch where they apply, then these branches are merged up to master regularly by mergers. This could happen a few hours up to a few days later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
BC Break Bug Security Status: Needs Work
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@Gladhon @sstok @backbone87 @javiereguiluz @fabpot @nicolas-grekas @carsonbot