Skip to content

Commit 40d930e

Browse files
author
Romaric Drigon
committed
[Security] fix #39262, more defensive PasswordMigratingListener
1 parent 76df688 commit 40d930e

File tree

2 files changed

+20
-0
lines changed

2 files changed

+20
-0
lines changed

EventListener/PasswordMigratingListener.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,12 @@ public function onLoginSuccess(LoginSuccessEvent $event): void
5656
}
5757

5858
$passwordUpgrader = $badge->getPasswordUpgrader();
59+
5960
if (null === $passwordUpgrader) {
61+
if (!$passport->hasBadge(UserBadge::class)) {
62+
return;
63+
}
64+
6065
/** @var UserBadge $userBadge */
6166
$userBadge = $passport->getBadge(UserBadge::class);
6267
$userLoader = $userBadge->getUserLoader();

Tests/EventListener/PasswordMigratingListenerTest.php

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
2525
use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
2626
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
27+
use Symfony\Component\Security\Http\Authenticator\Passport\UserPassportInterface;
2728
use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
2829
use Symfony\Component\Security\Http\EventListener\PasswordMigratingListener;
2930

@@ -67,6 +68,20 @@ public function provideUnsupportedEvents()
6768
yield [$this->createEvent($this->createMock(PassportInterface::class))];
6869
}
6970

71+
public function testUnsupportedPassport()
72+
{
73+
// A custom Passport, without an UserBadge
74+
$passport = $this->createMock(UserPassportInterface::class);
75+
$passport->method('getUser')->willReturn($this->user);
76+
$passport->method('hasBadge')->withConsecutive([PasswordUpgradeBadge::class], [UserBadge::class])->willReturnOnConsecutiveCalls(true, false);
77+
$passport->expects($this->once())->method('getBadge')->with(PasswordUpgradeBadge::class)->willReturn(new PasswordUpgradeBadge('pa$$word'));
78+
// We should never "getBadge" for "UserBadge::class"
79+
80+
$event = $this->createEvent($passport);
81+
82+
$this->listener->onLoginSuccess($event);
83+
}
84+
7085
public function testUpgradeWithUpgrader()
7186
{
7287
$passwordUpgrader = $this->createPasswordUpgrader();

0 commit comments

Comments
 (0)