Skip to content

Commit e850700

Browse files
chalasrnicolas-grekas
chalasr
authored and
nicolas-grekas
committed
[Security\Core] Fix user enumeration via response body on invalid credentials
1 parent d0d17db commit e850700

File tree

2 files changed

+21
-2
lines changed

2 files changed

+21
-2
lines changed

src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,8 +84,8 @@ public function authenticate(TokenInterface $token)
8484
$this->userChecker->checkPreAuth($user);
8585
$this->checkAuthentication($user, $token);
8686
$this->userChecker->checkPostAuth($user);
87-
} catch (AccountStatusException $e) {
88-
if ($this->hideUserNotFoundExceptions) {
87+
} catch (AuthenticationException $e) {
88+
if ($this->hideUserNotFoundExceptions && ($e instanceof AccountStatusException || $e instanceof BadCredentialsException)) {
8989
throw new BadCredentialsException('Bad credentials.', 0, $e);
9090
}
9191

src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
1919
use Symfony\Component\Security\Core\Role\Role;
2020
use Symfony\Component\Security\Core\Role\SwitchUserRole;
21+
use Symfony\Component\Security\Core\User\UserInterface;
2122

2223
class UserAuthenticationProviderTest extends TestCase
2324
{
@@ -62,6 +63,24 @@ public function testAuthenticateWhenUsernameIsNotFoundAndHideIsTrue()
6263
$provider->authenticate($this->getSupportedToken());
6364
}
6465

66+
public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
67+
{
68+
$provider = $this->getProvider();
69+
$provider->expects($this->once())
70+
->method('retrieveUser')
71+
->willReturn($this->createMock(UserInterface::class))
72+
;
73+
$provider->expects($this->once())
74+
->method('checkAuthentication')
75+
->willThrowException(new BadCredentialsException())
76+
;
77+
78+
$this->expectException(BadCredentialsException::class);
79+
$this->expectExceptionMessage('Bad credentials.');
80+
81+
$provider->authenticate($this->getSupportedToken());
82+
}
83+
6584
/**
6685
* @group legacy
6786
*/

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy