[Security] Make Login Rate Limiter also case insensitive for non-ascii user identifiers

Author: Seldaek

RateLimiter/DefaultLoginRateLimiter.php

@@ -39,9 +39,12 @@ public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactor
 
     protected function getLimiters(Request $request): array
     {
+        $username = $request->attributes->get(Security::LAST_USERNAME);
+        $username = preg_match('//u', $username) ? mb_strtolower($username, 'UTF-8') : strtolower($username);
+
         return [
             $this->globalFactory->create($request->getClientIp()),
-            $this->localFactory->create(strtolower($request->attributes->get(Security::LAST_USERNAME)).'-'.$request->getClientIp()),
+            $this->localFactory->create($username.'-'.$request->getClientIp()),
         ];
     }
 }

composer.json

@@ -21,6 +21,7 @@
         "symfony/security-core": "^5.2",
         "symfony/http-foundation": "^5.2",
         "symfony/http-kernel": "^5.2",
+        "symfony/polyfill-mbstring": "~1.0",
         "symfony/polyfill-php80": "^1.15",
         "symfony/property-access": "^4.4|^5.0"
     },