[Security] FormLoginAuthenticator: fail for non-string password

dmaicher · nicolas-grekas · commit dc5660e7ca89 · 2023-08-23T12:00:20.000+02:00
diff --git a/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
@@ -157,6 +157,10 @@ private function getCredentials(Request $request): array
 
         $request->getSession()->set(Security::LAST_USERNAME, $credentials['username']);
 
+        if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) || !method_exists($credentials['password'], '__toString'))) {
+            throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));
+        }
+
         return $credentials;
     }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php
@@ -23,6 +23,7 @@
 use Symfony\Component\Security\Http\Authenticator\FormLoginAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\Tests\Authenticator\Fixtures\PasswordUpgraderProvider;
 
@@ -126,6 +127,44 @@ public function testHandleNonStringUsernameWithToString($postOnly)
         $this->authenticator->authenticate($request);
     }
 
+    /**
+     * @dataProvider postOnlyDataProvider
+     */
+    public function testHandleNonStringPasswordWithArray(bool $postOnly)
+    {
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_password" must be a string, "array" given.');
+
+        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => []]);
+        $request->setSession($this->createSession());
+
+        $this->setUpAuthenticator(['post_only' => $postOnly]);
+        $this->authenticator->authenticate($request);
+    }
+
+    /**
+     * @dataProvider postOnlyDataProvider
+     */
+    public function testHandleNonStringPasswordWithToString(bool $postOnly)
+    {
+        $passwordObject = new class() {
+            public function __toString()
+            {
+                return 's$cr$t';
+            }
+        };
+
+        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => $passwordObject]);
+        $request->setSession($this->createSession());
+
+        $this->setUpAuthenticator(['post_only' => $postOnly]);
+        $passport = $this->authenticator->authenticate($request);
+
+        /** @var PasswordCredentials $credentialsBadge */
+        $credentialsBadge = $passport->getBadge(PasswordCredentials::class);
+        $this->assertSame('s$cr$t', $credentialsBadge->getPassword());
+    }
+
     public static function postOnlyDataProvider()
     {
         yield [true];

Original file line number	Diff line number	Diff line change
`@@ -157,6 +157,10 @@ private function getCredentials(Request $request): array`
`157`	`157`
`158`	`158`	`$request->getSession()->set(Security::LAST_USERNAME, $credentials['username']);`
`159`	`159`
	`160`	`+ if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) \|\| !method_exists($credentials['password'], '__toString'))) {`
	`161`	`+ throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));`
	`162`	`+ }`
	`163`	`+`
`160`	`164`	`return $credentials;`
`161`	`165`	`}`
`162`	`166`