Skip to content

Commit

Permalink
bug #36223 [Security][Http][SwitchUserListener] Ignore all non existe…
Browse files Browse the repository at this point in the history 
…nt username protection errors (fancyweb)

This PR was merged into the 4.4 branch.

Discussion
----------

[Security][Http][SwitchUserListener] Ignore all non existent username protection errors

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | #36174
| License       | MIT
| Doc PR        | -

Since we generate the non existent username blindly, it can lead to Doctrine exceptions or any other exception.

We can catch all exceptions here but I guess it reduces the protection since the SQL query was not executed?

Alternative: we can only catch Doctrine DriverException (in addition to the existing AuthenticationException) and only silent the reported error codes?

Commits
-------

42311d5 [Security][Http][SwitchUserListener] Ignore all non existent username protection errors
  • Loading branch information
@nicolas-grekas
nicolas-grekas committed Apr 1, 2020
2 parents be0515f + 42311d5 commit 15edfd3
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
View file
Expand Up @@ -168,7 +168,7 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn

try {
$this->provider->loadUserByUsername($nonExistentUsername);
} catch (AuthenticationException $e) {
} catch (\Exception $e) {
}
} catch (AuthenticationException $e) {
$this->provider->loadUserByUsername($currentUsername);
Expand Down

0 comments on commit 15edfd3

Please sign in to comment.