bug #34551 [Security] SwitchUser is broken when the User Provider always returns a valid user (tucksaun)

fabpot · fabpot · commit 32e1be81bf35 · 2019-11-24T18:37:20.000+01:00
This PR was merged into the 4.3 branch. Discussion ---------- [Security] SwitchUser is broken when the User Provider always returns a valid user | Q | A | ------------- | --- | Branch? | 4.3 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | n/a | License | MIT | Doc PR | n/a Since bcfc282, if a UserProvider always returns a valid User object (which can happen in some OAuth workflow), switching user is not possible anymore as we hit the `LogicException`. This patch should be safe as the timing-attack prevention is kept. Commits ------- 2bf6cd2 [Security] Fix SwitchUser is broken when the User Provider always returns a valid user
diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@@ -153,7 +153,6 @@ private function attemptSwitchUser(Request $request, $username)
 
             try {
                 $this->provider->loadUserByUsername($nonExistentUsername);
-                throw new \LogicException('AuthenticationException expected');
             } catch (AuthenticationException $e) {
             }
         } catch (AuthenticationException $e) {

Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,6 @@ private function attemptSwitchUser(Request $request, $username)`
`153`	`153`
`154`	`154`	`try {`
`155`	`155`	`$this->provider->loadUserByUsername($nonExistentUsername);`
`156`		`- throw new \LogicException('AuthenticationException expected');`
`157`	`156`	`} catch (AuthenticationException $e) {`
`158`	`157`	`}`
`159`	`158`	`} catch (AuthenticationException $e) {`