limited the maximum length of a submitted username

fabpot · fabpot · commit 3e460b4021bf · 2016-05-09T13:29:33.000-05:00
diff --git a/Firewall/UsernamePasswordFormAuthenticationListener.php b/Firewall/UsernamePasswordFormAuthenticationListener.php
@@ -20,6 +20,7 @@
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
 use Symfony\Component\Security\Core\SecurityContextInterface;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
@@ -83,6 +84,10 @@ protected function attemptAuthentication(Request $request)
             $password = $request->get($this->options['password_parameter'], null, true);
         }
 
+        if (strlen($username) > SecurityContextInterface::MAX_USERNAME_LENGTH) {
+            throw new BadCredentialsException('Invalid username.');
+        }
+
         $request->getSession()->set(SecurityContextInterface::LAST_USERNAME, $username);
 
         return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey));
