Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Handle bad request format in json auth listener #22569

Merged
merged 1 commit into from Apr 29, 2017
Merged

[Security] Handle bad request format in json auth listener #22569

merged 1 commit into from Apr 29, 2017

Conversation

ogizanagi
Copy link
Member

@ogizanagi ogizanagi commented Apr 28, 2017
edited

Q A
Branch? master (3.3)
Bug fix? yesish
New feature? yes
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets N/A
License MIT
Doc PR N/A

In #22034, I wondered myself if we shouldn't throw a dedicated exception to handle bad formatted requests and give more inputs to the client by returning a 400 response with an explicit message.

Here is a suggestion, introducing a new BadRequestFormatException and using it in UsernamePasswordJsonAuthenticationListener whenever there is no custom failure handler set (but someone using its own handler should be able to treat the failure properly too).

As discussed with @chalasr , it seems better to directly throw a BadRequestHttpException as it's actually out of the whole security process. PR updated.

chalasr
chalasr approved these changes Apr 28, 2017
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 These exceptions are not about a failed authentication but a wrongly formatted request (and don't provide any sensitive info) thus should not trigger the authentication failure handler nor any authentication exception to be thrown.

@dunglas
Copy link
Member

dunglas commented Apr 28, 2017

Fair enough 👍

@nicolas-grekas nicolas-grekas added this to the 3.3 milestone Apr 28, 2017
nicolas-grekas
nicolas-grekas approved these changes Apr 28, 2017
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@fabpot
Copy link
Member

fabpot commented Apr 29, 2017

Thank you @ogizanagi.

@fabpot fabpot merged commit 93a8cb9 into symfony:master Apr 29, 2017
fabpot added a commit that referenced this pull request Apr 29, 2017
@fabpot
bug #22569 [Security] Handle bad request format in json auth listener…
460fcbf 
… (ogizanagi)

This PR was merged into the 3.3-dev branch.

Discussion
----------

[Security] Handle bad request format in json auth listener

| Q             | A
| ------------- | ---
| Branch?       | master (3.3)
| Bug fix?      | yesish
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | N/A
| License       | MIT
| Doc PR        | N/A

In #22034, I wondered myself if we shouldn't throw a dedicated exception to handle bad formatted requests and give more inputs to the client by returning a 400 response with an explicit message.

~~Here is a suggestion, introducing a new `BadRequestFormatException` and using it in `UsernamePasswordJsonAuthenticationListener` whenever there is no custom failure handler set (but someone using its own handler should be able to treat the failure properly too).~~

As discussed with @chalasr , it seems better to directly throw a `BadRequestHttpException` as it's actually out of the whole security process. PR updated.

Commits
-------

93a8cb9 [Security] Handle bad request format in json auth listener
@ogizanagi ogizanagi deleted the feature/3.3/security/json_login_bad_format_ex branch April 29, 2017 16:01
@nicolas-grekas
Copy link
Member

@ogizanagi master is red after this PR has been merged, would you mind looking at it please (or anyone else really?)

@chalasr chalasr mentioned this pull request Apr 29, 2017
Merged
@ogizanagi
Copy link
Member Author

ogizanagi commented Apr 29, 2017
edited

Sure. I'm on it. Too late, @chalasr did.

@chalasr
Copy link
Member

chalasr commented Apr 29, 2017

See #22582

nicolas-grekas added a commit that referenced this pull request Apr 29, 2017
@nicolas-grekas
minor #22582 Fix tests (chalasr)
b9e19f6 
This PR was merged into the 3.3-dev branch.

Discussion
----------

Fix tests

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? |  no
| Tests pass?   | yes
| Fixed tickets | #22569 (comment)
| License       | MIT
| Doc PR        | n/a

Commits
-------

b6948dd Fix tests
@chalasr chalasr mentioned this pull request Jan 2, 2018
Merged
fabpot added a commit that referenced this pull request Jan 16, 2018
@fabpot
bug #25657 [Security] Fix fatal error on non string username (chalasr)
6c16252 
This PR was merged into the 2.7 branch.

Discussion
----------

[Security] Fix fatal error on non string username

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #25612
| License       | MIT
| Doc PR        | n/a

That's consistent with what #22569 did for the `json_login` listener.

Commits
-------

8f09568 [Security] Fix fatal error on non string username
@chalasr chalasr mentioned this pull request Jun 1, 2022
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Bug Feature Security Status: Needs Review
Projects
None yet
Milestone
3.3
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@ogizanagi @dunglas @fabpot @nicolas-grekas @chalasr @carsonbot