Merge branch '5.4' into 6.3

nicolas-grekas · nicolas-grekas · commit 169602686229 · 2023-08-23T12:06:55.000+02:00
* 5.4:
  [Security] FormLoginAuthenticator: fail for non-string password
diff --git a/Authenticator/FormLoginAuthenticator.php b/Authenticator/FormLoginAuthenticator.php
@@ -131,6 +131,10 @@ private function getCredentials(Request $request): array
 
         $request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $credentials['username']);
 
+        if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) || !method_exists($credentials['password'], '__toString'))) {
+            throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));
+        }
+
         return $credentials;
     }
 
diff --git a/Tests/Authenticator/FormLoginAuthenticatorTest.php b/Tests/Authenticator/FormLoginAuthenticatorTest.php
@@ -23,6 +23,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\Tests\Authenticator\Fixtures\PasswordUpgraderProvider;
 
@@ -126,6 +127,44 @@ public function testHandleNonStringUsernameWithToString($postOnly)
         $this->authenticator->authenticate($request);
     }
 
+    /**
+     * @dataProvider postOnlyDataProvider
+     */
+    public function testHandleNonStringPasswordWithArray(bool $postOnly)
+    {
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_password" must be a string, "array" given.');
+
+        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => []]);
+        $request->setSession($this->createSession());
+
+        $this->setUpAuthenticator(['post_only' => $postOnly]);
+        $this->authenticator->authenticate($request);
+    }
+
+    /**
+     * @dataProvider postOnlyDataProvider
+     */
+    public function testHandleNonStringPasswordWithToString(bool $postOnly)
+    {
+        $passwordObject = new class() {
+            public function __toString()
+            {
+                return 's$cr$t';
+            }
+        };
+
+        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => $passwordObject]);
+        $request->setSession($this->createSession());
+
+        $this->setUpAuthenticator(['post_only' => $postOnly]);
+        $passport = $this->authenticator->authenticate($request);
+
+        /** @var PasswordCredentials $credentialsBadge */
+        $credentialsBadge = $passport->getBadge(PasswordCredentials::class);
+        $this->assertSame('s$cr$t', $credentialsBadge->getPassword());
+    }
+
     public static function postOnlyDataProvider()
     {
         yield [true];

Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,10 @@ private function getCredentials(Request $request): array`
`131`	`131`
`132`	`132`	`$request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $credentials['username']);`
`133`	`133`
	`134`	`+ if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) \|\| !method_exists($credentials['password'], '__toString'))) {`
	`135`	`+ throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));`
	`136`	`+ }`
	`137`	`+`
`134`	`138`	`return $credentials;`
`135`	`139`	`}`
`136`	`140`