Skip to content

Commit a86e6a1

Browse files
fabpotfabpot
committed
Merge branch '2.8' into 3.0
* 2.8: limited the maximum length of a submitted username
2 parents 93431d2 + 0f0a6d5 commit a86e6a1

File tree

2 files changed

+10
-0
lines changed

2 files changed

+10
-0
lines changed

Firewall/SimpleFormAuthenticationListener.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
2222
use Symfony\Component\Security\Http\Authentication\SimpleFormAuthenticatorInterface;
2323
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
24+
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
2425
use Symfony\Component\Security\Core\Security;
2526
use Symfony\Component\Security\Http\HttpUtils;
2627
use Symfony\Component\Security\Http\ParameterBagUtils;
@@ -107,6 +108,10 @@ protected function attemptAuthentication(Request $request)
107108
$password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
108109
}
109110

111+
if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
112+
throw new BadCredentialsException('Invalid username.');
113+
}
114+
110115
$request->getSession()->set(Security::LAST_USERNAME, $username);
111116

112117
$token = $this->simpleAuthenticator->createToken($request, $username, $password, $this->providerKey);

Firewall/UsernamePasswordFormAuthenticationListener.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@
2323
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
2424
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
2525
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
26+
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
2627
use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
2728
use Symfony\Component\Security\Core\Security;
2829
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
@@ -83,6 +84,10 @@ protected function attemptAuthentication(Request $request)
8384
$password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
8485
}
8586

87+
if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
88+
throw new BadCredentialsException('Invalid username.');
89+
}
90+
8691
$request->getSession()->set(Security::LAST_USERNAME, $username);
8792

8893
return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey));

0 commit comments

Comments
 (0)