Skip to content

[Security] Return null instead of empty username to fix deprecation notice #59586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

[Security] Return null instead of empty username to fix deprecation notice #59586

wants to merge 2 commits into from

Conversation

ghost
Copy link

@ghost ghost commented Jan 22, 2025
edited by chalasr
Loading

Q A
Branch? 6.4
Bug fix? yes
New feature? no
Deprecations? no
Issues Fix #59584
License MIT

RemoteUserAuthenticator may return an empty string when extracting a username from the configured $_SERVER parameter (e.g. REMOTE_USER).

An empty username triggers the User Deprecated: Since symfony/security-http 7.2: Using an empty string as user identifier is deprecated and will throw an exception in Symfony 8.0.

Return null instead of empty username to skip authenticator when username is empty and fix Symfony 8 deprecation notice.

@ghost ghost requested a review from chalasr as a code owner January 22, 2025 21:58
@carsonbot

This comment was marked as outdated.

Sign in to view
@ghost
Copy link
Author

ghost commented Jan 22, 2025

The release page shows 5.4 accepting security fixes. Since this is part of the Security component, I figured that's where the change should be made. Please let me know if you'd prefer I make this change in 6.4 and I'll submit a new PR.

@alexandre-daubois
Copy link
Member

alexandre-daubois commented Jan 24, 2025
edited
Loading

This should be a bug fix, not a security fix. Security fixes corresponds to modifications that address CVEs or vulnerability that endangers apps security, like these reports.

@ghost ghost changed the base branch from 5.4 to 6.4 January 24, 2025 16:47
@ghost
Copy link
Author

ghost commented Jan 24, 2025
edited by ghost
Loading

@alexandre-daubois Thanks for the clarification; I've changed the base branch to 6.4.

@nicolas-grekas
Copy link
Member

Can you please add a test case to cover this?

xabbuh
xabbuh reviewed Jan 28, 2025
View reviewed changes
src/Symfony/Component/Security/Http/Authenticator/RemoteUserAuthenticator.php
@@ -45,6 +45,6 @@ protected function extractUsername(Request $request): ?string
throw new BadCredentialsException(sprintf('User key was not found: "%s".', $this->userKey));
}

return $request->server->get($this->userKey);
return $request->server->get($this->userKey) ?: null;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at how the method is used I wonder if we shouldn’t throw a BadCredentialsException here then.

@ghost ghost closed this Jan 28, 2025
@ghost ghost deleted the fix_59584 branch January 28, 2025 19:19
@ghost ghost mentioned this pull request Jan 28, 2025
Merged
@ghost
Copy link
Author

ghost commented Jan 28, 2025

Apologies; I ran into some trouble rebasing the commit for a test case so I created a new branch/PR to be safe: #59640

@ghost ghost mentioned this pull request Jan 30, 2025
Closed
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@carsonbot @alexandre-daubois @nicolas-grekas @xabbuh