Skip to content

Commit e34cd7d

Browse files
nicolas-grekasnicolas-grekas
committed
Merge branch '5.2' into 5.x
* 5.2: [Security\Core] Fix user enumeration via response body on invalid credentials Update VERSION for 3.4.48 Update CHANGELOG for 3.4.48
2 parents d319beb + 309f36d commit e34cd7d

File tree

2 files changed

+21
-2
lines changed

2 files changed

+21
-2
lines changed

src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php

+3-2
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
use Symfony\Component\Security\Core\Exception\AuthenticationException;
1919
use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
2020
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
21+
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
2122
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
2223
use Symfony\Component\Security\Core\User\UserCheckerInterface;
2324
use Symfony\Component\Security\Core\User\UserInterface;
@@ -84,8 +85,8 @@ public function authenticate(TokenInterface $token)
8485
$this->userChecker->checkPreAuth($user);
8586
$this->checkAuthentication($user, $token);
8687
$this->userChecker->checkPostAuth($user);
87-
} catch (AccountStatusException $e) {
88-
if ($this->hideUserNotFoundExceptions) {
88+
} catch (AccountStatusException | BadCredentialsException $e) {
89+
if ($this->hideUserNotFoundExceptions && !$e instanceof CustomUserMessageAccountStatusException) {
8990
throw new BadCredentialsException('Bad credentials.', 0, $e);
9091
}
9192

src/Symfony/Component/Security/Core/Tests/Authentication/Provider/UserAuthenticationProviderTest.php

+18
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,24 @@ public function testAuthenticateWhenUsernameIsNotFoundAndHideIsTrue()
6969
$provider->authenticate($this->getSupportedToken());
7070
}
7171

72+
public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
73+
{
74+
$provider = $this->getProvider();
75+
$provider->expects($this->once())
76+
->method('retrieveUser')
77+
->willReturn($this->createMock(UserInterface::class))
78+
;
79+
$provider->expects($this->once())
80+
->method('checkAuthentication')
81+
->willThrowException(new BadCredentialsException())
82+
;
83+
84+
$this->expectException(BadCredentialsException::class);
85+
$this->expectExceptionMessage('Bad credentials.');
86+
87+
$provider->authenticate($this->getSupportedToken());
88+
}
89+
7290
public function testAuthenticateWhenProviderDoesNotReturnAnUserInterface()
7391
{
7492
$this->expectException(AuthenticationServiceException::class);

0 commit comments

Comments
 (0)