Skip to content

Commit 0e14ecf

Browse files
javiereguiluzjaviereguiluz
committed
[Security] Enforce maximum username length
1 parent f444462 commit 0e14ecf

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

security/custom_authenticator.rst

+7
Original file line numberDiff line numberDiff line change
@@ -205,6 +205,11 @@ using :ref:`the user provider <security-user-providers>`::
205205
// ...
206206
$passport = new Passport(new UserBadge($email), $credentials);
207207

208+
.. note::
209+
210+
The maximum length allowed for the user identifier is 4096 characters to
211+
prevent `session storage flooding`_ attacks.
212+
208213
.. note::
209214

210215
You can optionally pass a user loader as second argument to the
@@ -373,3 +378,5 @@ authenticator methods (e.g. ``createToken()``)::
373378
return new CustomOauthToken($passport->getUser(), $passport->getAttribute('scope'));
374379
}
375380
}
381+
382+
.. _`session storage flooding`: https://symfony.com/blog/cve-2016-4423-large-username-storage-in-session

0 commit comments

Comments
 (0)