Skip to content

Commit ce61bb0

Browse files
chalasrchalasr
committed
bug #36974 [Security] Fixed handling of CSRF logout error (wouterj)
This PR was merged into the 3.4 branch. Discussion ---------- [Security] Fixed handling of CSRF logout error | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #36814 | License | MIT | Doc PR | - 8 years ago, a typo was made while refactoring the `ExceptionListener`, loosing this logic (46071f3). I think we should fix it. The `LogoutException` is a very generic name for something only used when the CSRF token is invalid. Should we match the exception message to make sure only this CSRF error is transformed into 403? I didn't yet do it because any usage of `LogoutException` would have resulted in 500, which always is worse than 403. Commits ------- 50348f2 Fixed handling of CSRF logout error
2 parents 4f40da5 + 50348f2 commit ce61bb0

File tree

2 files changed

+17
-3
lines changed

2 files changed

+17
-3
lines changed

src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -102,7 +102,7 @@ public function onKernelException(GetResponseForExceptionEvent $event)
102102
}
103103

104104
if ($exception instanceof LogoutException) {
105-
$this->handleLogoutException($exception);
105+
$this->handleLogoutException($event, $exception);
106106

107107
return;
108108
}
@@ -172,10 +172,12 @@ private function handleAccessDeniedException(GetResponseForExceptionEvent $event
172172
}
173173
}
174174

175-
private function handleLogoutException(LogoutException $exception)
175+
private function handleLogoutException(GetResponseForExceptionEvent $event, LogoutException $exception)
176176
{
177+
$event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception));
178+
177179
if (null !== $this->logger) {
178-
$this->logger->info('A LogoutException was thrown.', ['exception' => $exception]);
180+
$this->logger->info('A LogoutException was thrown; wrapping with AccessDeniedHttpException', ['exception' => $exception]);
179181
}
180182
}
181183

src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
2222
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
2323
use Symfony\Component\Security\Core\Exception\AuthenticationException;
24+
use Symfony\Component\Security\Core\Exception\LogoutException;
2425
use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
2526
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
2627
use Symfony\Component\Security\Http\Firewall\ExceptionListener;
@@ -160,6 +161,17 @@ public function testAccessDeniedExceptionNotFullFledged(\Exception $exception, \
160161
$this->assertSame(null === $eventException ? $exception : $eventException, $event->getException()->getPrevious());
161162
}
162163

164+
public function testLogoutException()
165+
{
166+
$event = $this->createEvent(new LogoutException('Invalid CSRF.'));
167+
168+
$listener = $this->createExceptionListener();
169+
$listener->onKernelException($event);
170+
171+
$this->assertEquals('Invalid CSRF.', $event->getException()->getMessage());
172+
$this->assertEquals(403, $event->getException()->getStatusCode());
173+
}
174+
163175
public function getAccessDeniedExceptionProvider()
164176
{
165177
return [

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy