[Security] Ensure DocumentUserProvider::refreshUser() uses id #56

jmikola · 2011-11-16T23:09:23Z

This is a port of @fabpot's security fix for the Doctrine Bridge: http://symfony.com/blog/security-release-symfony-2-0-6

Fixes a security vulnerability in the DocumentUserProvider where a user might be refreshed by username, which could have been altered during form binding and failed validation. Apart from this fix, it's wise to clone the managed user object before using it in a form if it is also being tracked in security context. Furthermore, you should be careful not to allow document identifiers to be modified by untrusted forms. See: * http://symfony.com/blog/security-release-symfony-2-0-6 * symfony/symfony@9d2ab9c

[Security] Ensure DocumentUserProvider::refreshUser() uses id

jmikola added 2 commits November 16, 2011 17:43

Add DocumentManager type-hinting to DocumentUserProvider constructor

a777b11

stof added a commit that referenced this pull request Nov 16, 2011

Merge pull request #56 from jmikola/user-reloading

bca3e54

[Security] Ensure DocumentUserProvider::refreshUser() uses id

stof merged commit bca3e54 into doctrine:2.0 Nov 16, 2011

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Ensure DocumentUserProvider::refreshUser() uses id #56

[Security] Ensure DocumentUserProvider::refreshUser() uses id #56

jmikola commented Nov 16, 2011

[Security] Ensure DocumentUserProvider::refreshUser() uses id #56

[Security] Ensure DocumentUserProvider::refreshUser() uses id #56

Conversation

jmikola commented Nov 16, 2011