[Security] Ignore empty username or password login attempts

llupa · chalasr · commit a8c6e8cab3d2 · 2024-03-05T21:48:24.000+01:00
diff --git a/Authenticator/FormLoginAuthenticator.php b/Authenticator/FormLoginAuthenticator.php
@@ -129,12 +129,20 @@ private function getCredentials(Request $request): array
 
         $credentials['username'] = trim($credentials['username']);
 
+        if ('' === $credentials['username']) {
+            throw new BadRequestHttpException(sprintf('The key "%s" must be a non-empty string.', $this->options['username_parameter']));
+        }
+
         $request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $credentials['username']);
 
         if (!\is_string($credentials['password']) && (!\is_object($credentials['password']) || !method_exists($credentials['password'], '__toString'))) {
             throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['password_parameter'], \gettype($credentials['password'])));
         }
 
+        if ('' === (string) $credentials['password']) {
+            throw new BadRequestHttpException(sprintf('The key "%s" must be a non-empty string.', $this->options['password_parameter']));
+        }
+
         return $credentials;
     }
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@ CHANGELOG
 
  * Add `#[IsCsrfTokenValid]` attribute
  * Add CAS 2.0 access token handler
+ * Make empty username or empty password on form login attempts return Bad Request (400)
 
 7.0
 ---
diff --git a/Tests/Authenticator/FormLoginAuthenticatorTest.php b/Tests/Authenticator/FormLoginAuthenticatorTest.php
@@ -42,6 +42,30 @@ protected function setUp(): void
         $this->failureHandler = $this->createMock(AuthenticationFailureHandlerInterface::class);
     }
 
+    public function testHandleWhenUsernameEmpty()
+    {
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_username" must be a non-empty string.');
+
+        $request = Request::create('/login_check', 'POST', ['_username' => '', '_password' => 's$cr$t']);
+        $request->setSession($this->createSession());
+
+        $this->setUpAuthenticator();
+        $this->authenticator->authenticate($request);
+    }
+
+    public function testHandleWhenPasswordEmpty()
+    {
+        $this->expectException(BadRequestHttpException::class);
+        $this->expectExceptionMessage('The key "_password" must be a non-empty string.');
+
+        $request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => '']);
+        $request->setSession($this->createSession());
+
+        $this->setUpAuthenticator();
+        $this->authenticator->authenticate($request);
+    }
+
     /**
      * @dataProvider provideUsernamesForLength
      */
