New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Remember me does not check the checkPreAuth #10242

Closed
cmodijk opened this Issue Feb 11, 2014 · 0 comments

Comments

Projects
None yet
3 participants
@cmodijk
Copy link

cmodijk commented Feb 11, 2014

I was debugging a situation where a user is still logged in our system after we blocked the user. I found that the RememberMeAuthenticationProvider does not check the checkPreAuth. The user could still browse the system after we blocked them.

I found this pull request #9902

@jakzal jakzal added the Security label Feb 11, 2014

glutamatt added a commit to glutamatt/symfony that referenced this issue Jun 4, 2014

glutamatt added a commit to glutamatt/symfony that referenced this issue Jun 5, 2014

glutamatt added a commit to glutamatt/symfony that referenced this issue Jun 5, 2014

glutamatt added a commit to glutamatt/symfony that referenced this issue Jun 9, 2014

glutamatt added a commit to glutamatt/symfony that referenced this issue Jun 30, 2014

glutamatt added a commit to glutamatt/symfony that referenced this issue Sep 23, 2014

glutamatt added a commit to glutamatt/symfony that referenced this issue Sep 23, 2014

fabpot added a commit that referenced this issue Sep 24, 2014

bug #11058 [Security] bug #10242 Missing checkPreAuth from RememberMe…
…AuthenticationProvider (glutamatt)

This PR was submitted for the 2.4 branch but it was merged into the 2.3 branch instead (closes #11058).

Discussion
----------

[Security] bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider

| Q             | A
| ------------- | ---
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #10242
| License       | MIT

[Security] fixed missing call to UserChecker::checkPreAuth

edit : after the discution with @hellomedia , i replaced postcheck with precheck
glutamatt@e0730e0#commitcomment-6580764

Commits
-------

a38d1cd bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider

@fabpot fabpot closed this Sep 24, 2014

fabpot added a commit that referenced this issue Sep 25, 2014

Merge branch '2.3' into 2.4
* 2.3:
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/CHANGELOG.md
	src/Symfony/Component/HttpFoundation/Tests/ResponseTest.php
	src/Symfony/Component/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php

webmozart added a commit that referenced this issue Sep 25, 2014

Merge branch '2.4' into 2.5
* 2.4:
  [Form] Removed constructor argument from FormTypeHttpFoundationExtension for forward compatibility with 2.5
  [Validator] Simplified testing of violations
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  fixed bug
  added the possibility to return null from SimplePreAuthenticationListener
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/Extension/Core/Type/FormType.php
	src/Symfony/Component/Form/Extension/Validator/Constraints/FormValidator.php
	src/Symfony/Component/Form/Extension/Validator/Util/ServerParams.php
	src/Symfony/Component/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php
	src/Symfony/Component/Validator/Tests/Constraints/AbstractConstraintValidatorTest.php

webmozart added a commit that referenced this issue Sep 25, 2014

Merge branch '2.5'
* 2.5:
  [Command] Set the process title as late as possible
  [Form] Removed constructor argument from FormTypeHttpFoundationExtension for forward compatibility with 2.5
  [Validator] Simplified testing of violations
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  fixed bug
  added the possibility to return null from SimplePreAuthenticationListener
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/Tests/Extension/Validator/Constraints/FormValidatorTest.php

ostrolucky pushed a commit to ostrolucky/symfony that referenced this issue Mar 25, 2018

Merge branch '2.3' into 2.4
* 2.3:
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/CHANGELOG.md
	src/Symfony/Component/HttpFoundation/Tests/ResponseTest.php
	src/Symfony/Component/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php

ostrolucky pushed a commit to ostrolucky/symfony that referenced this issue Mar 25, 2018

Merge branch '2.4' into 2.5
* 2.4:
  [Form] Removed constructor argument from FormTypeHttpFoundationExtension for forward compatibility with 2.5
  [Validator] Simplified testing of violations
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  fixed bug
  added the possibility to return null from SimplePreAuthenticationListener
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/Extension/Core/Type/FormType.php
	src/Symfony/Component/Form/Extension/Validator/Constraints/FormValidator.php
	src/Symfony/Component/Form/Extension/Validator/Util/ServerParams.php
	src/Symfony/Component/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php
	src/Symfony/Component/Validator/Tests/Constraints/AbstractConstraintValidatorTest.php

ostrolucky pushed a commit to ostrolucky/symfony that referenced this issue Mar 25, 2018

Merge branch '2.5'
* 2.5:
  [Command] Set the process title as late as possible
  [Form] Removed constructor argument from FormTypeHttpFoundationExtension for forward compatibility with 2.5
  [Validator] Simplified testing of violations
  remove obsolete test file
  [FrameworkBundle] output failed matched path for clarification
  bug symfony#10242 Missing checkPreAuth from RememberMeAuthenticationProvider
  [Validator] Fixed StaticMethodLoaderTest to actually test something
  [Form] Fixed ValidatorTypeGuesser to guess properties without constraints not to be required
  Use request format from request in twig ExceptionController
  fixed bug
  added the possibility to return null from SimplePreAuthenticationListener
  [Form] Moved POST_MAX_SIZE validation from FormValidator to request handler
  [Form] Add a form error if post_max_size has been reached.
  Response::isNotModified returns true when If-Modified-Since is later than Last-Modified
  [WebProfilerBundle] turbolinks compatibility

Conflicts:
	src/Symfony/Component/Form/Tests/Extension/Validator/Constraints/FormValidatorTest.php
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment