Skip to content

[Security] more defensive PasswordMigratingListener #39263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 1, 2020
Merged

[Security] more defensive PasswordMigratingListener #39263

merged 1 commit into from
Dec 1, 2020

Conversation

romaricdrigon
Copy link
Contributor

Q A
Branch? 5.2 (bug not here in 5.1.x)
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #39262
License MIT
Doc PR /

This proposed fix makes PasswordMigratingListener code more robust. It should handle Passports which does not contain an UserBadge, as it is not enforced by UserPassportInterface. Developers should be free to implement different passports with different badges (as I did on my own project), and it shouldn't lead to a crash in frameworkland.

The issue became apparent in 5.2.0 exactly, as PasswordMigratingListener is now called in (almost) every login, as PasswordUpgradeBadge is automatically added.

@derrabus
Copy link
Member

derrabus commented Dec 1, 2020

Can you add this case to PasswordMigratingListenerTest? We should make sure this does not break again.

@romaricdrigon romaricdrigon mentioned this pull request Dec 1, 2020
Closed
@romaricdrigon
Copy link
Contributor Author

Sure, I just added a test case. I struggled a bit with PHPUnit stubbing (usually I'm using anonymous classes), please tell me if that looks good to you and consistent with the rest of the codebase.

@romaricdrigon romaricdrigon changed the base branch from 5.x to 5.2 December 1, 2020 11:11
@derrabus derrabus changed the title [Security] fix #39262, more defensive PasswordMigratingListener [Security] more defensive PasswordMigratingListener Dec 1, 2020
@derrabus
Copy link
Member

derrabus commented Dec 1, 2020

Thank you @romaricdrigon.

@derrabus derrabus merged commit 42f440e into symfony:5.2 Dec 1, 2020
@romaricdrigon romaricdrigon deleted the fix-39262 branch December 1, 2020 12:18
@fabpot fabpot mentioned this pull request Dec 18, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wouterj wouterj wouterj approved these changes

@derrabus derrabus derrabus approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Security][5.2.0 only] Call to a member function getUserLoader() on null
4 participants
@romaricdrigon @derrabus @wouterj @carsonbot